Fortinet white logo
Fortinet white logo

Administration Guide

Passive WAN health measurement

Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check measurements (jitter, latency, and packet loss) using session information captured from the firewall policies that have Passive Health Check (passive-wan-health-measurement) enabled. Passive measurements analyze session information that is gathered from various TCP sessions can be viewed using the command diagnose sys link-monitor-passive admin list by-interface.

Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.

By default, active WAN health measurement is enabled when a new health check is created. It can be changed to passive or prefer passive:

passive

Health is measured using live traffic passing through an SD-WAN link to determine link metrics (jitter, latency, and packet loss) of participating SD-WAN links. No link health monitor needs to be configured.

prefer-passive

Health is measured using live traffic when there is traffic passing though an SD-WAN link to determine link metrics (jitter, latency, and packet loss). If there is no live traffic flowing through an SD-WAN link for three continuous minutes, then the FortiGate sends out active probes to the configured health check server (set server) to calculate the link metrics. A link health monitor must be configured, see Link health monitor for details.

Note

When passive-wan-health-measurement is enabled, auto-asic-offload will be disabled.

Example

In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the SD-WAN policy.

Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15, the passive health check trigger threshold is exceeded and traffic is rerouted to port16.

To configure the SD-WAN in the GUI:
  1. Create the SD-WAN zone:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Zone.

    3. Enter a name for the zone, such as SD-WAN.

    4. Click OK.

  2. Create the SD-WAN members:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Member.

    3. Set Interface to port15, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.209.2.

    4. Click OK.

    5. Click Create New > SD-WAN Member again.

    6. Set Interface to port16, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.210.2.

    7. Click OK.

  3. Create a performance SLA:

    1. Go to Network > SD-WAN and select the Performance SLAs tab.

    2. Edit an existing health check, or create a new one.

    3. Set Probe mode to Passive.

    4. Set Participants to Specify and add port15 and port16.

    5. Configure two SLA targets. Note that the second SLA target must be configured in the CLI.

    6. Configure the remaining settings as needed.

    7. Click OK.

      The SLA list shows the probe mode in the Detect Server column, if the probe mode is passive or prefer passive.

      Tooltip

      Probe packets can only be disabled in the CLI and when the probe mode is not passive.

  4. Create SD-WAN rules:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. Configure the first rule:

      Name

      Background_Traffic

      Source address

      172.16.205.0

      Application

      Click in the field, and in the Select Entries pane search for YouTube and select all of the entries

      Strategy

      Maximize Bandwidth (SLA)

      Interface preference

      port15 and port16

      Required SLA target

      Passive_Check#2

    3. Click OK.

    4. Click Create New again and configure the second rule:

      Name

      Foreground_Traffic

      Source address

      172.16.205.0

      Address

      all

      Protocol number

      Specify - 1

      Strategy

      Lowest Cost (SLA)

      Interface preference

      port15 and port16

      Required SLA target

      Passive_Check#1

    5. Click OK.

To configure the firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    SD-WAN-HC-policy

    Incoming Interface

    port5

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Passive Health Check

    Enabled

    Passive health check can only be enabled in a policy when the outgoing interface is an SD-WAN zone.

  3. Click OK.

To configure the SD-WAN in the CLI:
config system sdwan
    set status enable
    config zone
        edit "SD-WAN"
        next
    end
    config members
        edit 1
            set zone "SD-WAN"
            set interface "port15"
            set gateway 172.16.209.2
        next
        edit 2
            set zone "SD-WAN"
            set interface "port16"
            set gateway 172.16.210.2    
        next
    end
    config health-check
        edit "Passive_Check"
            set detect-mode passive
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 500
                    set jitter-threshold 500
                    set packetloss-threshold 10
                next
                edit 2
                    set latency-threshold 1000
                    set jitter-threshold 1000
                    set packetloss-threshold 10
                next
            end
        next
    end
    config service
        edit 1
            set name "Background_Traffic"
            set mode sla
            set load-balance enable
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 31077 33321 41598 31076 33104 23397 30201 16420 17396 38569 25564
            config sla
                edit "Passive_Check"
                    set id 2
                next
            end
            set priority-member 1 2
        next
        edit 2
            set name "Foreground_Traffic"
            set mode sla
            set src "172.16.205.0"
            set protocol 1
            set dst "all"
            config sla
                edit "Passive_Check"
                    set id 1
                next
            end
            set priority-member 1 2
        next
    end
end
To configure the firewall policy in the CLI:
config firewall policy
    edit 1
        set name "SD-WAN-HC-policy"
        set srcintf "port5"
        set dstintf "SD-WAN"
        set nat enable
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set passive-wan-health-measurement enable
        set auto-asic-offload disable
    next
end

Results

When both links pass the SLA:
# diagnose sys link-monitor-passive admin list by-interface
Interface port16 (28):
  Default(0x00000000): latency=10.0    15:46:36, jitter=5.0    15:46:37, pktloss=0.0  % 10:09:21

Interface port15 (27):
  Default(0x00000000): latency=60.0    15:46:36, jitter=0.0    15:46:37, pktloss=0.0  % 10:39:24
# diagnose sys sdwan health-check
Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(60.000), jitter(0.750) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(10.000), jitter(5.000) sla_map=0x3
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200
  Gen(1), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(1 port15), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(2 port16), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Src address(1):
        172.16.205.0-172.16.205.255
        
  Dst address(1):
        8.8.8.8-8.8.8.8
When the latency is increased to 610ms on port15, the SLA is broken and pings are sent on port16:
# diagnose sys sdwan health-check
Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(610.000), jitter(2.500) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(50.000), jitter(21.000) sla_map=0x3
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200
  Gen(6), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port16), alive, sla(0x1), gid(1), cfg_order(1), cost(0), selected
    2: Seq_num(1 port15), alive, sla(0x0), gid(2), cfg_order(0), cost(0), selected
  Src address(1):
        172.16.205.0-172.16.205.255
        
  Dst address(1):
        8.8.8.8-8.8.8.8

Passive measurement

Passive measurement allows SLA information per internet service/application to be differentiated and collected when internet services/applications are defined in an SD-WAN rule that uses passive or prefer passive SLA. The SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are calculated based on the relevant internet services/applications SLA information. These metrics help analyze the performance of different applications using the same WAN link. See Passive health-check measurement by internet service and application for more information.

Passive WAN health measurement

Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check measurements (jitter, latency, and packet loss) using session information captured from the firewall policies that have Passive Health Check (passive-wan-health-measurement) enabled. Passive measurements analyze session information that is gathered from various TCP sessions can be viewed using the command diagnose sys link-monitor-passive admin list by-interface.

Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.

By default, active WAN health measurement is enabled when a new health check is created. It can be changed to passive or prefer passive:

passive

Health is measured using live traffic passing through an SD-WAN link to determine link metrics (jitter, latency, and packet loss) of participating SD-WAN links. No link health monitor needs to be configured.

prefer-passive

Health is measured using live traffic when there is traffic passing though an SD-WAN link to determine link metrics (jitter, latency, and packet loss). If there is no live traffic flowing through an SD-WAN link for three continuous minutes, then the FortiGate sends out active probes to the configured health check server (set server) to calculate the link metrics. A link health monitor must be configured, see Link health monitor for details.

Note

When passive-wan-health-measurement is enabled, auto-asic-offload will be disabled.

Example

In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the SD-WAN policy.

Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15, the passive health check trigger threshold is exceeded and traffic is rerouted to port16.

To configure the SD-WAN in the GUI:
  1. Create the SD-WAN zone:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Zone.

    3. Enter a name for the zone, such as SD-WAN.

    4. Click OK.

  2. Create the SD-WAN members:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Member.

    3. Set Interface to port15, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.209.2.

    4. Click OK.

    5. Click Create New > SD-WAN Member again.

    6. Set Interface to port16, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.210.2.

    7. Click OK.

  3. Create a performance SLA:

    1. Go to Network > SD-WAN and select the Performance SLAs tab.

    2. Edit an existing health check, or create a new one.

    3. Set Probe mode to Passive.

    4. Set Participants to Specify and add port15 and port16.

    5. Configure two SLA targets. Note that the second SLA target must be configured in the CLI.

    6. Configure the remaining settings as needed.

    7. Click OK.

      The SLA list shows the probe mode in the Detect Server column, if the probe mode is passive or prefer passive.

      Tooltip

      Probe packets can only be disabled in the CLI and when the probe mode is not passive.

  4. Create SD-WAN rules:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. Configure the first rule:

      Name

      Background_Traffic

      Source address

      172.16.205.0

      Application

      Click in the field, and in the Select Entries pane search for YouTube and select all of the entries

      Strategy

      Maximize Bandwidth (SLA)

      Interface preference

      port15 and port16

      Required SLA target

      Passive_Check#2

    3. Click OK.

    4. Click Create New again and configure the second rule:

      Name

      Foreground_Traffic

      Source address

      172.16.205.0

      Address

      all

      Protocol number

      Specify - 1

      Strategy

      Lowest Cost (SLA)

      Interface preference

      port15 and port16

      Required SLA target

      Passive_Check#1

    5. Click OK.

To configure the firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    SD-WAN-HC-policy

    Incoming Interface

    port5

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Passive Health Check

    Enabled

    Passive health check can only be enabled in a policy when the outgoing interface is an SD-WAN zone.

  3. Click OK.

To configure the SD-WAN in the CLI:
config system sdwan
    set status enable
    config zone
        edit "SD-WAN"
        next
    end
    config members
        edit 1
            set zone "SD-WAN"
            set interface "port15"
            set gateway 172.16.209.2
        next
        edit 2
            set zone "SD-WAN"
            set interface "port16"
            set gateway 172.16.210.2    
        next
    end
    config health-check
        edit "Passive_Check"
            set detect-mode passive
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 500
                    set jitter-threshold 500
                    set packetloss-threshold 10
                next
                edit 2
                    set latency-threshold 1000
                    set jitter-threshold 1000
                    set packetloss-threshold 10
                next
            end
        next
    end
    config service
        edit 1
            set name "Background_Traffic"
            set mode sla
            set load-balance enable
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 31077 33321 41598 31076 33104 23397 30201 16420 17396 38569 25564
            config sla
                edit "Passive_Check"
                    set id 2
                next
            end
            set priority-member 1 2
        next
        edit 2
            set name "Foreground_Traffic"
            set mode sla
            set src "172.16.205.0"
            set protocol 1
            set dst "all"
            config sla
                edit "Passive_Check"
                    set id 1
                next
            end
            set priority-member 1 2
        next
    end
end
To configure the firewall policy in the CLI:
config firewall policy
    edit 1
        set name "SD-WAN-HC-policy"
        set srcintf "port5"
        set dstintf "SD-WAN"
        set nat enable
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set passive-wan-health-measurement enable
        set auto-asic-offload disable
    next
end

Results

When both links pass the SLA:
# diagnose sys link-monitor-passive admin list by-interface
Interface port16 (28):
  Default(0x00000000): latency=10.0    15:46:36, jitter=5.0    15:46:37, pktloss=0.0  % 10:09:21

Interface port15 (27):
  Default(0x00000000): latency=60.0    15:46:36, jitter=0.0    15:46:37, pktloss=0.0  % 10:39:24
# diagnose sys sdwan health-check
Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(60.000), jitter(0.750) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(10.000), jitter(5.000) sla_map=0x3
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200
  Gen(1), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(1 port15), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(2 port16), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Src address(1):
        172.16.205.0-172.16.205.255
        
  Dst address(1):
        8.8.8.8-8.8.8.8
When the latency is increased to 610ms on port15, the SLA is broken and pings are sent on port16:
# diagnose sys sdwan health-check
Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(610.000), jitter(2.500) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(50.000), jitter(21.000) sla_map=0x3
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200
  Gen(6), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port16), alive, sla(0x1), gid(1), cfg_order(1), cost(0), selected
    2: Seq_num(1 port15), alive, sla(0x0), gid(2), cfg_order(0), cost(0), selected
  Src address(1):
        172.16.205.0-172.16.205.255
        
  Dst address(1):
        8.8.8.8-8.8.8.8

Passive measurement

Passive measurement allows SLA information per internet service/application to be differentiated and collected when internet services/applications are defined in an SD-WAN rule that uses passive or prefer passive SLA. The SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are calculated based on the relevant internet services/applications SLA information. These metrics help analyze the performance of different applications using the same WAN link. See Passive health-check measurement by internet service and application for more information.