Digital experience

Digital experience monitoring (DEM) serves as a valuable tool for network administrators in diagnosing connectivity and network issues for remote users along with monitoring their real-time network bandwidth, CPU, memory, and hard disk usage. It also enables tracing end-to-end network performance, from an endpoint to a FortiSASE point of presence (PoP) and to a SaaS application using a DEM agent installed on the endpoint. DEM provides insights into potential network issues between a FortiClient endpoint, FortiSASE PoP, SaaS applications, and the internet service providers (ISP) connecting them.

For users with a Standard or Not-for-Resale (NFR) remote users FortiSASE license, a free 90-day DEM trial is available and you can activate DEM on a maximum of 10 endpoints. The endpoints that are activated for a DEM trial are moved from their original endpoint profile and assigned to the DEM trial endpoint profile, visible under Configuration > Profiles. To activate a DEM trial on an endpoint, do the following: Go to Network > Managed Endpoints, select the desired endpoint, and click View Endpoint Details. In the slide-in, go to Digital Experience and click Activate trial for this endpoint. Click Activate trial. When upgrading to an Advanced, Professional, or Comprehensive remote users license, you must reassign any endpoints that are enrolled in a DEM trial to their original endpoint profile or the Default profile. To reassign the endpoint, pausing the trial for the endpoint is required. To pause DEM on an endpoint, do the following: Go to Configuration > Profiles, select the DEM trial endpoint profile and click Edit. Under Profile Configuration, select DEM trial. Select the desired endpoint and click Pause. For a Standard or Not-for-Resale (NFR) remote users FortiSASE license, you must activate DEM on at least one endpoint to view the SaaS application list under Network > Digital Experience Monitoring.

To navigate DEM:

1. Go to Network > Managed endpoints to see the list of managed and unmanaged endpoints.
2. Select an endpoint and click View Endpoint Details. A slide-in appears and the following endpoint details are visible:

   GUI option	Description
   Details	Shows general endpoint information such as the hostname, management connection to FortiSASE, and VPN status. See Managed Endpoints. DEM displays information on all detected network interfaces and their IP addresses, and a real-time network bandwidth graph that shows total bandwidth used by endpoint.
   Hardware	Shows information regarding endpoint hardware such as vendor, model, and CPU. It displays a real-time graph that shows total hard disk, CPU, and memory usage on the endpoint.
   Digital Experience	Shows DEM agent status: offline, online, or agent is not installed. To get end-to-end network performance visibility from the endpoint to a particular SaaS application, run a trace job for the selected endpoint. SeeTo run a trace job on an endpoint:.

   DEM displays a list of SaaS applications and health check metrics for first-mile connectivity between the geographical PoPs provisioned for your FortiSASE instance and SaaS applications, as the following diagram shows. See Digital Experience Monitoring.

   

Running a trace job on an endpoint

FortiSASE can run a trace job on the endpoint using DEM agent. This assists in troubleshooting various performance bottlenecks in the network by providing link metrics such as average RTT and packet loss on various hops of the network.

To run the trace job, the following must be true:

• DEM agent is installed on endpoint.
• DEM agent status must be Online under Digital Experience tab under Network > Managed Endpoints> View Endpoint Details for selected endpoint.
• Application Control security profile and internet access firewall policy must not block ping or ICMP traffic.

To run a trace job on an endpoint:

1. Go to Network > Managed Endpoints.
2. Select the desired endpoint and click View Endpoint Details. A slide in appears.
3. Click the Digital Experience tab.
4. Click the Generate traceroute subtab. The DEM agent status must be Online. From the SaaS application dropdown list, select an application to test the connection to from the selected endpoint.
5. Under Monitor for, configure a suitable time to run the trace job for the specified duration.
6. Click Start to schedule the job.

   If you interrupt the current running job by clicking Stop, FortiSASE deletes the historical traceroute data collected so far and you must restart the job.

   The first trace job output displays within five minutes after clicking Start, after which FortiSASE presents output every three minutes until the selected Monitor for duration expires. FortiSASE stores the results displayed for three days only for the latest trace job. To analyze the trace job, see Analyzing trace job result.

Analyzing trace job result

The trace job output gives information on average RTT (ms) and packet loss (%) on various hops of the network. To identify the hop accurately, understanding whether the selected endpoint is connected to the FortiSASE VPN tunnel for secure internet access (SIA) or not is important.

When an endpoint is connected to the FortiSASE VPN tunnel, it accesses SaaS applications using SIA. Thus, the first and second hops of the trace are the entry and exit interface IP address of the FortiSASE PoP that the endpoint is connected to. The remaining hops are the ISPs in between until the last hop, which is the selected SaaS application.

When an endpoint is not connected to the FortiSASE tunnel, it accesses SaaS applications directly using its local internet breakout bypassing the FortiSASE PoP. Thus, the performance metrics (average RTT and packet loss) displayed do not include the FortiSASE PoP.

Some ISPs do not respond to the trace packets that the DEM agent sends and requests time out. For such hops, their entry is marked as *** in the trace result output.

Each FortiSASE administrator can only run one trace job on unique endpoints simultaneously.

Prerequisites

DEM requires an Advanced, Professional, or Comprehensive remote users FortiSASE license. However, a Standard or Not-for-Resale (NFR) remote users FortiSASE license can opt in for a free 90-day trial and activate DEM on a maximum of 10 endpoints. See the FortiSASE Ordering Guide.

For new FortiSASE instances with a Standard, Advanced, Professional, or Comprehensive license, the DEM agent is packaged along with the FortiClient installer and available to download as a single executable file from FortiSASE when users download FortiClient. See Managed endpoint client onboarding.

For existing FortiSASE instances with an Advanced, Professional, or Comprehensive license, endpoint users are prompted to begin upgrading to a FortiClient version that supports the DEM agent and the DEM agent is installed automatically during this upgrade. Whereas existing FortiSASE instances with Standard or Not-for-Resale (NFR) licenses are notified about a new FortiClient version packaged with DEM agent, and endpoint upgrade rule(s) are disabled. The endpoint upgrade rule must then be manually re-enabled to install DEM agent on required endpoints, see Endpoint Upgrade.

To uninstall the DEM agent, do the following:

• On macOS, use the uninstaller tool to uninstall FortiClient and the DEM agent together.

• On Windows, use the installer package to uninstall FortiClient and the DEM agent together. You cannot uninstall DEM agent using Add or Remove Program in Control Panel.