WAN path control – FortiOS 6.2

WAN path control

Performace SLA – link monitoring

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.

In this example:

l Interfaces wan1 and wan2 connect to the internet through separate ISPs l The detection server IP address is 208.91.114.182

A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.

To configure a Performance SLA using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > Performance SLA.
  3. Click Create New. The Performance SLA page opens.
  4. Enter a name for the SLA and select a protocol.
  5. In the Server field, enter the detection server IP address (208.91.114.182 in this example).
  6. In the Participants field, select both wan1 and wan2.
  7. Configured the remaining settings as needed, then click OK.

To configure a Performance SLA using the CLI:

config system virtual-wan-link config health-check edit “server” set server “208.91.114.182”

set update-static-route enable

set members 1 2 next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check Health Check(server):

Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

Performace SLA – SLA targets

SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.

The available constraints are:

  • Latency threshold: Latency for SLA to make decision, in milliseconds (0 – 10000000, default = 5).
  • Jitterthreshold: Jitter for SLA to make decision, in milliseconds (0 – 10000000, default = 5). l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 – 100, default = 0).

To configure Performance SLA targets using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Go to Network > Performance SLA.
  3. Create a new Performance SLA or edit an existing one. See Performace SLA – link monitoring on page 114.
  4. Under SLA Targets, click the plus icon to add a target.
  5. Turn on or off the required constraints, and set their values.
  6. Configured the remaining settings as needed, then click OK.

To configure Performance SLA targets using the GUI:

config system virtual-wan-link config health-check edit “server” set server “208.91.114.182”

set members 1 2 config sla edit 1 set link-cost-factor latency jitter packet-loss set latency-threshold 10 set jitter-threshold 10 set packetloss-threshold 1

next

end

next

end

end

The link-cost-factor variable is used to select which constraints are enabled.

SD-WAN rules – best quality

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority. l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules lowest cost (SLA) on page 119.
  • Maximize Bandwith (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules – maximize bandwidth (SLA) on page 121.

When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor, selected from one of the following:

GUI CLI Description
Latency latency Select a link based on latency.
Jitter jitter Select a link based on jitter.
Packet Loss packet-loss Select a link based on packet loss.
Downstream inbandwidth Select a link based on available bandwidth of incoming traffic.
Upstream outbandwidth Select a link based on available bandwidth of outgoing traffic.
Bandwidth bibandwidth Select a link based on available bandwidth of bidirectional traffic.
custom-profile-1 custom-profile-1 Select link based on customized profile. If selected, set the following weights: l packet-loss-weight: Coefficient of packet-loss. l latency-weight: Coefficient of latency. l jitter-weight: Coefficient of jitter.

l bandwidth-weight: Coefficient of reciprocal of available bidirectional bandwidth.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you want Gmail services to use the link with the least latency.

To configure an SD-WAN rule to use Best Quality:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Best Quality
Interface preference wan1 and wan2
Measured SLA google (created in step 2).
Quality criteria Latency
  1. Click OK to create the rule.

To configure an SD-WAN rule to use priority:

config system virtual-wan-link config health-check edit “google”

set server “google.com”

set members 1 2 next

end config service

edit 1

set name “gmail” set mode priority set internet-service enable set internet-service-id 65646 set health-check “google” set link-cost-factor latency set priority-members 1 2

next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1 Service(1):

TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-costthreshold(10), health-check(google) Members:

1: Seq_num(2), alive, latency: 12.633, selected

2: Seq_num(1), alive, latency: 14.563, selected

Internet Service: Google-Gmail(65646)

As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward

Gmail traffic.

SD-WAN rules – lowest cost (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority.
  • Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SDWAN rules – best quality on page 116.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules – maximize bandwidth (SLA) on page 121.

When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to forward traffic.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms.

To configure an SD-WAN rule to use Lowest Cost (SLA):

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitterthreshold = 5ms. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Lowest Cost (SLA)
Interface preference wan1 and wan2
Required SLA target google#1 (created in step 2).
  1. Click OK to create the rule.

To configure an SD-WAN rule to use sla:

config system virtual-wan-link config members edit 1 set interface “wan1”

set cost 10 next edit 2 set interface “wan2”

set cost 5 next

end

config health-check edit “google” set server “google.com” set members 1 2 config sla edit 1 set latency-threshold 10

set jitter-threshold 5

next

end

next

end config service edit 1 set name “gmail” set mode sla set internet-service enable set internet-service-id 65646 config sla edit “google” set id 1

next

end

set priority-members 1 2

next

end

end

To diagnose the Performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Members:<<BR>>

1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected

2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the requirements, wan2 will be used.

If both interface had the same cost and both met the SLA requirements, the first link configured in set prioritymembers would be used.

SD-WAN rules – maximize bandwidth (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality. l Manual (manual): Interfaces are manually assigned a priority. l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SDWAN rules – best quality on page 116. l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules lowest cost (SLA) on page 119.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm.

When using Maximize Bandwidth mode (load balance in the CLI), SD-WAN will all of the links that satisfies SLA to forward traffic based on a round-robin load balancing algorithm.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms. This can maximize the bandwidth usage.

To configure an SD-WAN rule to use Maximize Bandwidth (SLA):

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface on page 105 for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitterthreshold = 5ms. See Performace SLA – link monitoring on page 114.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Maximize Bandwidth (SLA)
Interface preference wan1 and wan2
Required SLA target google#1 (created in step 2).
  1. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system virtual-wan-link config health-check edit “google” set server “google.com” set members 1 2 config sla edit 1 set latency-threshold 10 set jitter-threshold 5

next

end

next

end config service edit 1 set name “gmail” set mode load-balance set internet-service enable set internet-service-id 65646 config sla edit “google” set id 1

next

end

set priority-members 1 2

next

end

end

To diagnose the performance SLA status:

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)

Members:<<BR>>

1: Seq_num(1), alive, sla(0x1), num of pass(1), selected

2: Seq_num(2), alive, sla(0x1), num of pass(1), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the interfaces meets the SLA requirements, Gmail traffic will only use that interface.

If neither interface meets the requirements, the rule is not matched and traffic will try to use a following rule, but if no rules match, traffic will still be processed with the implicit rule algorithm, see Implicit rule on page 110.

MPLS (SIP and backup) + DIA (cloud apps)

This topic covers a typical customer usage scenario where the customer’s SD-WAN has two members: MPLS and DIA. DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications, Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.

Sample topology

Sample configuration

This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.

To configure an SD-WAN rule to use SIP and DIA using the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

See Creating the SD-WAN interface on page 105.

  1. When you add a firewall policy, enable Application Control.
  2. Go to Network > SD-WAN Rules.
  3. Click Create New. The Priority Rule page opens.
  4. Enter a name for the rule, such as SIP.
  5. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
  6. For Strategy, select Manual.
  7. For Interface preference, select MPLS.
  8. Click OK.
  9. Click Create New to create another rule.
  10. Enter a name for the rule, such as Internet.
  11. Click the Address box to display the popup dialog box and select all.
  12. For Strategy, select Manual.
  13. For Interface preference, select DIA.
  14. Click OK.

To configure the firewall policy using the CLI:

config firewall policy edit 1 set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable set application-list “g-default” set ssl-ssh-profile “certificate-inspection”

set nat enable

next

end

To configure an SD-WAN rule to use SIP and DIA using the CLI:

config system virtual-wan-link set status enable config members edit 1 set interface “MPLS” set gateway x.x.x.x

next edit 2 set interface “DIA” set gateway x.x.x.x

next

end config service edit 1 set name “SIP” set member 1 set internet-service enable

set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251

next edit 2 set name “Internet” set input-device “dmz” set member 2 set dst “all”

next

end end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.

To use the diagnose command to check performance SLA status using the CLI:

FGT_A (root) # diagnose sys virtual-wan-link service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT

(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251)

FGT_A (root) # diagnose sys virtual-wan-link service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

FGT_A (root) #

FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list

Ctrl application(SIP 34640):Internet Service ID(4294836224)

Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)

Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)

Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)

Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)

Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

FGT_A (root) #

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.