Passive WAN health measurement
SD-WAN passive WAN health measurement determines the health check measurements (jitter, latency, and packet loss) using session information captured from the firewall policies that have Passive Health Check (passive-wan-health-measurement
) enabled. Passive measurements analyze session information that is gathered from various TCP sessions can be viewed using the command diagnose sys link-monitor-passive admin list by-interface
.
Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.
By default, active WAN health measurement is enabled when a new health check is created. It can be changed to passive or prefer passive:
passive |
Health is measured using live traffic passing through an SD-WAN link to determine link metrics (jitter, latency, and packet loss) of participating SD-WAN links. No link health monitor needs to be configured. |
prefer-passive |
Health is measured using live traffic when there is traffic passing though an SD-WAN link to determine link metrics (jitter, latency, and packet loss). If there is no live traffic flowing through an SD-WAN link for three continuous minutes, then the FortiGate sends out active probes to the configured health check server ( |
When |
Example
In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the SD-WAN policy.
Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15, the passive health check trigger threshold is exceeded and traffic is rerouted to port16.
To configure the SD-WAN in the GUI:
-
Create the SD-WAN zone:
-
Go to Network > SD-WAN and select the SD-WAN Zones tab.
-
Click Create New > SD-WAN Zone.
-
Enter a name for the zone, such as SD-WAN.
-
Click OK.
-
-
Create the SD-WAN members:
-
Go to Network > SD-WAN and select the SD-WAN Zones tab.
-
Click Create New > SD-WAN Member.
-
Set Interface to port15, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.209.2.
-
Click OK.
-
Click Create New > SD-WAN Member again.
-
Set Interface to port16, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.210.2.
-
Click OK.
-
-
Create a performance SLA:
-
Go to Network > SD-WAN and select the Performance SLAs tab.
-
Edit an existing health check, or create a new one.
-
Set Probe mode to Passive.
-
Set Participants to Specify and add port15 and port16.
-
Configure two SLA targets. Note that the second SLA target must be configured in the CLI.
-
Configure the remaining settings as needed.
-
Click OK.
The SLA list shows the probe mode in the Detect Server column, if the probe mode is passive or prefer passive.
Probe packets can only be disabled in the CLI and when the probe mode is not passive.
-
-
Create SD-WAN rules:
-
Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
-
Configure the first rule:
Name
Background_Traffic
Source address
172.16.205.0
Application
Click in the field, and in the Select Entries pane search for YouTube and select all of the entries
Strategy
Maximize Bandwidth (SLA)
Interface preference
port15 and port16
Required SLA target
Passive_Check#2
-
Click OK.
-
Click Create New again and configure the second rule:
Name
Foreground_Traffic
Source address
172.16.205.0
Address
all
Protocol number
Specify - 1
Strategy
Lowest Cost (SLA)
Interface preference
port15 and port16
Required SLA target
Passive_Check#1
-
Click OK.
-
To configure the firewall policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the policy:
Name
SD-WAN-HC-policy
Incoming Interface
port5
Outgoing Interface
SD-WAN
Source
all
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
Passive Health Check
Enabled
Passive health check can only be enabled in a policy when the outgoing interface is an SD-WAN zone.
-
Click OK.
To configure the SD-WAN in the CLI:
config system sdwan set status enable config zone edit "SD-WAN" next end config members edit 1 set zone "SD-WAN" set interface "port15" set gateway 172.16.209.2 next edit 2 set zone "SD-WAN" set interface "port16" set gateway 172.16.210.2 next end config health-check edit "Passive_Check" set detect-mode passive set members 1 2 config sla edit 1 set latency-threshold 500 set jitter-threshold 500 set packetloss-threshold 10 next edit 2 set latency-threshold 1000 set jitter-threshold 1000 set packetloss-threshold 10 next end next end config service edit 1 set name "Background_Traffic" set mode sla set load-balance enable set src "172.16.205.0" set internet-service enable set internet-service-app-ctrl 31077 33321 41598 31076 33104 23397 30201 16420 17396 38569 25564 config sla edit "Passive_Check" set id 2 next end set priority-member 1 2 next edit 2 set name "Foreground_Traffic" set mode sla set src "172.16.205.0" set protocol 1 set dst "all" config sla edit "Passive_Check" set id 1 next end set priority-member 1 2 next end end
To configure the firewall policy in the CLI:
config firewall policy edit 1 set name "SD-WAN-HC-policy" set srcintf "port5" set dstintf "SD-WAN" set nat enable set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set passive-wan-health-measurement enable set auto-asic-offload disable next end
Results
When both links pass the SLA:
# diagnose sys link-monitor-passive admin list by-interface Interface port16 (28): Default(0x00000000): latency=10.0 15:46:36, jitter=5.0 15:46:37, pktloss=0.0 % 10:09:21 Interface port15 (27): Default(0x00000000): latency=60.0 15:46:36, jitter=0.0 15:46:37, pktloss=0.0 % 10:39:24
# diagnose sys sdwan health-check Health Check(Passive_Check): Seq(1 port15): state(alive), packet-loss(0.000%) latency(60.000), jitter(0.750) sla_map=0x3 Seq(2 port16): state(alive), packet-loss(0.000%) latency(10.000), jitter(5.000) sla_map=0x3
# diagnose sys sdwan service 2 Service(2): Address Mode(IPV4) flags=0x200 Gen(1), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order Members(2): 1: Seq_num(1 port15), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected 2: Seq_num(2 port16), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected Src address(1): 172.16.205.0-172.16.205.255 Dst address(1): 8.8.8.8-8.8.8.8
When the latency is increased to 610ms on port15, the SLA is broken and pings are sent on port16:
# diagnose sys sdwan health-check Health Check(Passive_Check): Seq(1 port15): state(alive), packet-loss(0.000%) latency(610.000), jitter(2.500) sla_map=0x3 Seq(2 port16): state(alive), packet-loss(0.000%) latency(50.000), jitter(21.000) sla_map=0x3
# diagnose sys sdwan service 2 Service(2): Address Mode(IPV4) flags=0x200 Gen(6), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order Members(2): 1: Seq_num(2 port16), alive, sla(0x1), gid(1), cfg_order(1), cost(0), selected 2: Seq_num(1 port15), alive, sla(0x0), gid(2), cfg_order(0), cost(0), selected Src address(1): 172.16.205.0-172.16.205.255 Dst address(1): 8.8.8.8-8.8.8.8
Passive measurement
Passive measurement allows SLA information per internet service/application to be differentiated and collected when internet services/applications are defined in an SD-WAN rule that uses passive or prefer passive SLA. The SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are calculated based on the relevant internet services/applications SLA information. These metrics help analyze the performance of different applications using the same WAN link. See Passive health-check measurement by internet service and application for more information.