Fortinet black logo

Handbook

Using the minimum quality SLA strategy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:184550
Download PDF

Using the minimum quality SLA strategy

The minimum quality SLA strategy uses criteria that you configure to determine which SD-WAN links to use. The FortiGate follows SD-WAN rules to route traffic through the SD-WAN interfaces that meet the latency, jitter, and packet loss criteria that you configure in the SLA targets associated with the rules.

You can configure one or more SLA targets for each performance SLA. There are situations where you might want to create multiple SLA targets in one performance SLA. For example, you might want to do this if you’re in a branch office and use different applications that run on the same server at your company headquarters. You can create one performance SLA to perform the health check for the server, and then have different SLA targets for different applications, with strict rules for some applications and lenient rules for other applications. However, if applications are running on different servers, you should create different performance SLAs for each application so that health checks are performed on the server for each application. In this case, performance SLA only requires one SLA target for each application.

Configuring the minimum quality SLA strategy – GUI

You configure minimum quality SLA by performing the following tasks:

  1. Configure SLA targets.
  2. Configure SD-WAN rules to use SLA targets.
Configure SLA targets – GUI
  1. Go to Network > Performance SLA.
  2. Select the performance SLA that you want to use and select Edit.

    You configure performance SLAs when you configure link health monitoring. See Configuring link health monitoring for more information.

  3. In the SLA Targets section, select + to add one or more targets. Specify one or more of the following SLA criteria for each target:
  4. GUI option

    Description

    Additional configuration steps

    Latency threshold

    The maximum amount of latency that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a latency threshold (in ms).

    Jitter threshold

    The maximum amount of jitter that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a jitter threshold (in ms).

    Packet loss threshold

    The maximum percentage of packet loss that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a packet loss threshold percentage.
  5. Select OK.
Configure SD-WAN rules to use SLA targets – GUI
  1. Go to Network > SD-WAN Rules.
  2. Select Create New.
  3. In the Name field, enter a name for the rule.
  4. In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
  5. GUI option

    Description

    Additional configuration steps

    Source address

    Match traffic based on source IP address.

    1. Select +.
    2. In the Select Entries window, select one or more source IP addresses. Select Close.

    User group

    Match traffic based on users and user groups.

    1. Select +.
    2. In the Select Entries window, select one or more users and user groups. Select Close.
  6. In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
  7. GUI option

    Description

    Additional configuration steps

    Address

    Match traffic based on destination IP address, destination port number, and type of service (ToS).

    If you configure this option, you can’t configure Internet Service or Application options.

    1. Select +.
    2. In the Select Entries window, select one or more destination IP addresses. Select Close.
    3. In the Protocol number field, select TCP, UDP, ANY, or Specify.
    4. If you select TCP or UDP, specify a Port range.
    5. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

    Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more Internet services or Internet service groups from the list.
    3. Select Close.
    Application

    Match traffic based on applications and application control groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more applications or application control groups.
    3. Select Close.
  8. In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
  9. GUI option

    Description

    Additional configuration steps

    Strategy

    The strategy that you want the SD-WAN rules to use.

    Select Minimum Quality (SLA).

    Interface preference

    One or more interfaces, in order of priority, that you want the FortiGate to use.

    If you select more than one interface, the FortiGate evaluates the links from the top down. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality link.

    If at any time, the current link doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link, and so on. If none of the links meet the SLA criteria, the FortiGate uses the preferred link, which is the first link in the configuration, regardless of its performance.

    The FortiGate continually checks the links to see if any of them meet the SLA criteria.

    1. In the Interface preference field, select +.
    2. In the Select Entries window, select one or more interfaces. Select Close.

    Required SLA target

    The name of the SLA target that you want the FortiGate to use to measure the quality of the links.

    If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.

    1. In the Required SLA target field, select +.
    2. In the Select Entries window, select one or more SLA targets in the list, or select + to create a new performance SLA. Select Close.
  10. Select OK.
  11. Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the minimum quality SLA strategy – CLI
Configure SLA targets – CLI

config system virtual-wan-link

config health-check

edit <health_check_name>

config sla

edit <sla_id>

set link-cost-factor {latency | jitter | packet-loss}

set latency-threshold <milliseconds>

set jitter-threshold <milliseconds>

set packetloss-threshold <percentage>

next

end

next

end

end

Configure SD-WAN rules to use SLA targets – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

next

end

end

Configure the source parameters:

CLI option

Description

Additional configuration steps

set {src | src6} <address_list>

This is the same as the Source address option in the GUI.

None

set groups <group_list>

This is the same as the User group option in the GUI.

None

Configure the destination parameters:

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option

Description

Additional configuration steps

set mode sla

This is the same as the Minimum Quality (SLA) option in the GUI.

None

set priority-members <member_sequence_list>

This is the same as the Interface preference option in the GUI.

None

config sla

This is the same as the Required SLA target option in the GUI.

Configure the SLA target settings:

config sla

edit <sla_target_name>

set id <sla_id>

next

end

Using the minimum quality SLA strategy

The minimum quality SLA strategy uses criteria that you configure to determine which SD-WAN links to use. The FortiGate follows SD-WAN rules to route traffic through the SD-WAN interfaces that meet the latency, jitter, and packet loss criteria that you configure in the SLA targets associated with the rules.

You can configure one or more SLA targets for each performance SLA. There are situations where you might want to create multiple SLA targets in one performance SLA. For example, you might want to do this if you’re in a branch office and use different applications that run on the same server at your company headquarters. You can create one performance SLA to perform the health check for the server, and then have different SLA targets for different applications, with strict rules for some applications and lenient rules for other applications. However, if applications are running on different servers, you should create different performance SLAs for each application so that health checks are performed on the server for each application. In this case, performance SLA only requires one SLA target for each application.

Configuring the minimum quality SLA strategy – GUI

You configure minimum quality SLA by performing the following tasks:

  1. Configure SLA targets.
  2. Configure SD-WAN rules to use SLA targets.
Configure SLA targets – GUI
  1. Go to Network > Performance SLA.
  2. Select the performance SLA that you want to use and select Edit.

    You configure performance SLAs when you configure link health monitoring. See Configuring link health monitoring for more information.

  3. In the SLA Targets section, select + to add one or more targets. Specify one or more of the following SLA criteria for each target:
  4. GUI option

    Description

    Additional configuration steps

    Latency threshold

    The maximum amount of latency that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a latency threshold (in ms).

    Jitter threshold

    The maximum amount of jitter that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a jitter threshold (in ms).

    Packet loss threshold

    The maximum percentage of packet loss that’s acceptable on the interface.

    1. Enable this threshold.
    2. Set a packet loss threshold percentage.
  5. Select OK.
Configure SD-WAN rules to use SLA targets – GUI
  1. Go to Network > SD-WAN Rules.
  2. Select Create New.
  3. In the Name field, enter a name for the rule.
  4. In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
  5. GUI option

    Description

    Additional configuration steps

    Source address

    Match traffic based on source IP address.

    1. Select +.
    2. In the Select Entries window, select one or more source IP addresses. Select Close.

    User group

    Match traffic based on users and user groups.

    1. Select +.
    2. In the Select Entries window, select one or more users and user groups. Select Close.
  6. In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
  7. GUI option

    Description

    Additional configuration steps

    Address

    Match traffic based on destination IP address, destination port number, and type of service (ToS).

    If you configure this option, you can’t configure Internet Service or Application options.

    1. Select +.
    2. In the Select Entries window, select one or more destination IP addresses. Select Close.
    3. In the Protocol number field, select TCP, UDP, ANY, or Specify.
    4. If you select TCP or UDP, specify a Port range.
    5. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

    Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more Internet services or Internet service groups from the list.
    3. Select Close.
    Application

    Match traffic based on applications and application control groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more applications or application control groups.
    3. Select Close.
  8. In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
  9. GUI option

    Description

    Additional configuration steps

    Strategy

    The strategy that you want the SD-WAN rules to use.

    Select Minimum Quality (SLA).

    Interface preference

    One or more interfaces, in order of priority, that you want the FortiGate to use.

    If you select more than one interface, the FortiGate evaluates the links from the top down. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality link.

    If at any time, the current link doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link, and so on. If none of the links meet the SLA criteria, the FortiGate uses the preferred link, which is the first link in the configuration, regardless of its performance.

    The FortiGate continually checks the links to see if any of them meet the SLA criteria.

    1. In the Interface preference field, select +.
    2. In the Select Entries window, select one or more interfaces. Select Close.

    Required SLA target

    The name of the SLA target that you want the FortiGate to use to measure the quality of the links.

    If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.

    1. In the Required SLA target field, select +.
    2. In the Select Entries window, select one or more SLA targets in the list, or select + to create a new performance SLA. Select Close.
  10. Select OK.
  11. Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the minimum quality SLA strategy – CLI
Configure SLA targets – CLI

config system virtual-wan-link

config health-check

edit <health_check_name>

config sla

edit <sla_id>

set link-cost-factor {latency | jitter | packet-loss}

set latency-threshold <milliseconds>

set jitter-threshold <milliseconds>

set packetloss-threshold <percentage>

next

end

next

end

end

Configure SD-WAN rules to use SLA targets – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

next

end

end

Configure the source parameters:

CLI option

Description

Additional configuration steps

set {src | src6} <address_list>

This is the same as the Source address option in the GUI.

None

set groups <group_list>

This is the same as the User group option in the GUI.

None

Configure the destination parameters:

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option

Description

Additional configuration steps

set mode sla

This is the same as the Minimum Quality (SLA) option in the GUI.

None

set priority-members <member_sequence_list>

This is the same as the Interface preference option in the GUI.

None

config sla

This is the same as the Required SLA target option in the GUI.

Configure the SLA target settings:

config sla

edit <sla_target_name>

set id <sla_id>

next

end