Performance SLA

Monitor member health:
- State: Alive or dead
- Performance:
  - Packet loss, latency and jitter
  - SLA targets: Minimum performance requirements
Health can be measured
- Actively: based on periodic probes sent to configured servers
- Passively: based on member traffic
Configuration: SD-WAN templates > Performance SLA
CLI:

config system sdwan
  config health-check
    edit "Level3_DNS"
        set probe-packets enable
        set addr-mode ipv4
        set server "4.2.2.1" "4.2.2.2"
        set detect-mode active
        set protocol ping
        set interval 500
        set failtime 5
        set recoverytime 5
        set update-cascade-interface enable
        set update-static-route enable
        set members 1 2
        config sla
        edit 1
            set lnik-cost-factor latency
            set latency-threshold 50
        next
        end
    next
  end

Active Monitoring

Periodic probes sent to target servers to determine a member
- State: alive or dead: initial state alive
- Performance: packet loss, latency, and jitter: Used by SD-WAN rules
Probes
- Supported IPv4 protocols
  - General purpose: ping, TCP echo, UDP echo, TWAMP, and TCP connect
  - Application Specific: HTTP, DNS, FTP
- IPv6: TCP echo, HTTP, and TWAMP are not supported
- Default interval: 500 msec
- Default failure and restore threshold: 5

Fortigate as TWAMP Server

config system probe-response
  set port 862 (default port 8008)
  set mode twamp
  set security-mode authentication
  set password fortinet
end
config system interface
  edit port1
    append allowaccess probe-response
  next
end

Passive Monitoring

Probe-free performance monitoring: performance based on member traffic
Benefits:
- more accurate measuring
- simplied configuration
- reduced network traffic
Limitations:
- Only TCP traffic is measured
  - Latency is based on RTT using TCP setup and teardown
  - Jitter and packet loss are based on TCP headers
- No member state detection: Members are always alive
- Hardware acceleration is disabled

config system sdwan 
  config health-check
    edit Passive
      set detect-mode passive
      set members 3 4
    next
  end
end

config firewall policy
  edit 5
    set passive-wan-health-measurement enable
  next
end

# show full firewall policy 5 | grep auto
  set auto-asic-offload disable (Hardware acceleration is automatically disabled)

Per-Application Passive Monitoring

Differentiate and collect metrics for apps defined in rules
- If multiple apps are defined, an average is calculated
Benefits: Most accurate monitoring method

config system sdwan 
  config health-check
    edit Passive
      set detect-mode passive
      set members 3 4
    next
  end
  config service
    edit 1
      set name "GoToMeeting-Saleforce"
      set src all
      set internet-service enable
      set internet-service-app-ctrl 16354 16920
      set health-check Passive
      set priority-member 3 4
      set passive-measurement enable
    next
end

config firewall policy
  edit 5
    set passive-wan-health-measurement enable
  next
end

Prefer Passive Monitoring

Mix of passive and active monitoring
- Passive when there is TCP traffic
- Active when no TCP traffic has been detected for 3 mins (hard-coded)
Dead members detected during active monitoring

config system sdwan 
  config health-check
    edit T_INET_0_Passive
      set server 10.1.1.1
      set protocol ping
      set detect-mode prefer-passive
      set members 3
    next
  end
end

config firewall policy
  edit 5
    set passive-wan-health-measurement enable
  next
end

SLA Targets

Define member performance requirements
Used by Lowest Cost (SLA) and Maximum Bandwidth (SLA) rules
Member must meet target SLA for being eligible for traffic steering
Configure one or more target SLAs per performance SLA: use same health check for multiple applications
Viewing State and Peformance:
- FortiManager: Device Manager > Monitor > SD-WAN Monitor
- FortiGate: Network > SD-WAN > Performance SLA
CLI:
- diagnose sys sdwan health-check status: Performance SLA: show both member state and measured performance
- diagnose sys link-monitor interface port1: Link monitor status
- diagnose sys link-monitor-passive interface T_INET_0: Link monitor passive status
- diagnose sys sdwan sla-log Level3_DNS 1: 1 is member configuration index number: member metrics
- diagnose sys sdwan intf-sla-log port1: Member utilizationutilization
- diagnose sys sdwan member
- get router info routing-table database: view inactive routes
- diagnose hardware deviceinfo nic port5 | grep "Link|State"

SLA Target Maps

sla_map uses a bitmask to reference SLA targets and indicates their status
- Number of bits = number of configured SLA targets
- First configured SLA target is assigned bit 0, second configured SLA target bit 1 and so on
- Bit of SLA target is set to 1 if met, otherwise to 0
Example of sla_map values for three SLA targets

sla_map (hex)

SLA Target #3 (Bit2)

SLA Target #2 (Bit1)

SLA Target #1 (Bit0)

0x7

Pass(1)

0x6

Pass(1)

Fail(0)

0x5

Pass(1)

Fail(0)

Pass(1)

0x4

Pass(1)

Fail(0)

0x3

Fail(0)

Pass(1)

0x2

Fail(0)

Pass(1)

Fail(0)

0x1

Fail(0)

Pass(1)

0x0

Fail(0)

0x0 also means there are no SLA targets configured

PreviousADVPN NextRules

Last updated 2 years ago