Performance SLA

Performance SLA

• Monitor member health:

  • State: Alive or dead

  • Performance:

    • Packet loss, latency and jitter

    • SLA targets: Minimum performance requirements

• Health can be measured

  • Actively: based on periodic probes sent to configured servers

  • Passively: based on member traffic

• Configuration: SD-WAN templates > Performance SLA

• CLI:

config system sdwan
  config health-check
    edit "Level3_DNS"
        set probe-packets enable
        set addr-mode ipv4
        set server "4.2.2.1" "4.2.2.2"
        set detect-mode active
        set protocol ping
        set interval 500
        set failtime 5
        set recoverytime 5
        set update-cascade-interface enable
        set update-static-route enable
        set members 1 2
        config sla
        edit 1
            set lnik-cost-factor latency
            set latency-threshold 50
        next
        end
    next
  end

Active Monitoring

• Periodic probes sent to target servers to determine a member

  • State: alive or dead: initial state alive

  • Performance: packet loss, latency, and jitter: Used by SD-WAN rules

• Probes

  • Supported IPv4 protocols

    • General purpose: ping, TCP echo, UDP echo, TWAMP, and TCP connect

    • Application Specific: HTTP, DNS, FTP

  • IPv6: TCP echo, HTTP, and TWAMP are not supported

  • Default interval: 500 msec

  • Default failure and restore threshold: 5

Fortigate as TWAMP Server

Passive Monitoring

• Probe-free performance monitoring: performance based on member traffic

• Benefits:

  • more accurate measuring

  • simplied configuration

  • reduced network traffic

• Limitations:

  • Only TCP traffic is measured

    • Latency is based on RTT using TCP setup and teardown

    • Jitter and packet loss are based on TCP headers

  • No member state detection: Members are always alive

  • Hardware acceleration is disabled

Per-Application Passive Monitoring

• Differentiate and collect metrics for apps defined in rules

  • If multiple apps are defined, an average is calculated

• Benefits: Most accurate monitoring method

Prefer Passive Monitoring

• Mix of passive and active monitoring

  • Passive when there is TCP traffic

  • Active when no TCP traffic has been detected for 3 mins (hard-coded)

• Dead members detected during active monitoring

SLA Targets

• Define member performance requirements

• Used by Lowest Cost (SLA) and Maximum Bandwidth (SLA) rules

• Member must meet target SLA for being eligible for traffic steering

• Configure one or more target SLAs per performance SLA: use same health check for multiple applications

• Viewing State and Peformance:

  • FortiManager: Device Manager > Monitor > SD-WAN Monitor

  • FortiGate: Network > SD-WAN > Performance SLA

• CLI:

  • diagnose sys sdwan health-check status: Performance SLA: show both member state and measured performance

  • diagnose sys link-monitor interface port1: Link monitor status

  • diagnose sys link-monitor-passive interface T_INET_0: Link monitor passive status

  • diagnose sys sdwan sla-log Level3_DNS 1: 1 is member configuration index number: member metrics

  • diagnose sys sdwan intf-sla-log port1: Member utilizationutilization

  • diagnose sys sdwan member

  • get router info routing-table database: view inactive routes

  • diagnose hardware deviceinfo nic port5 | grep "Link|State"

SLA Target Maps

• sla_map uses a bitmask to reference SLA targets and indicates their status

  • Number of bits = number of configured SLA targets

  • First configured SLA target is assigned bit 0, second configured SLA target bit 1 and so on

  • Bit of SLA target is set to 1 if met, otherwise to 0

• Example of sla_map values for three SLA targets

• 0x0 also means there are no SLA targets configured