Passive WAN health measurement
SD-WAN passive WAN health measurement determines the health check measurements using session information that is captured on firewall policies that have passive-wan-health-measurement enabled. Passive measurements analyze session information that is gathered from various TCP sessions to determine the jitter, latency, and packet loss.
Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.
By default, active WAN health measurement is enabled when a new health check is created.
To configure passive WAN health check:
config system sdwan
config health-check
edit "1"
set server <ip_address>
set detect-mode {passive | prefer-passive}
set members <members>
next
end
end
|
passive |
Health is measured using traffic, without probes. No link health monitor needs to be configured. |
|
prefer-passive |
Health is measured using traffic when there is traffic, and using probes when there is no traffic. A link health monitor must be configured, see Link health monitor for details. |
To enable passive WAN health measurement in a policy:
config firewall policy
edit 1
set dstintf <SD-WAN zone>
set passive-wan-health-measurement enable
next
end
|
When |
Example
In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the SD-WAN policy.
Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15, the passive health check trigger threshold is exceeded and traffic is rerouted to port16.
To configure the SD-WAN:
config system sdwan
set status enable
config zone
edit "SD-WAN"
next
end
config members
edit 1
set zone "SD-WAN"
set interface "port15"
set gateway 172.16.209.2
next
edit 2
set zone "SD-WAN"
set interface "port16"
set gateway 172.16.210.2
next
end
config health-check
edit "Passive_Check"
set detect-mode passive
set members 1 2
config sla
edit 1
set latency-threshold 500
set jitter-threshold 500
set packetloss-threshold 10
next
edit 2
set latency-threshold 1000
set jitter-threshold 1000
set packetloss-threshold 10
next
end
next
end
config service
edit 1
set name "Background_Traffic"
set mode load-balance
set src "172.16.205.0"
set internet-service enable
set internet-service-app-ctrl 31077 33321 41598 31076 33104 23397 30201 16420 17396 38569 25564
config sla
edit "Passive_Check"
set id 2
next
end
set priority-member 1 2
next
edit 2
set name "Foreground_Traffic"
set mode sla
set src "172.16.205.0"
set protocol 1
set dst "all"
config sla
edit "Passive_Check"
set id 1
next
end
set priority-member 1 2
next
end
end
To configure the firewall policy:
config firewall policy
edit 1
set name "SD-WAN-HC-policy"
set srcintf "port5"
set dstintf "SD-WAN"
set nat enable
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set passive-wan-health-measurement enable
set auto-asic-offload disable
next
end
Results
When both links pass the SLA:
# diagnose sys link-monitor-passive interface Interface port16 (28): Latency 10.000 Jitter 5.000 Packet_loss 0.000% Last_updated Fri Mar 5 10:09:21 2021 Interface port15 (27): Latency 60.000 Jitter 0.000 Packet_loss 0.000% Last_updated Fri Mar 5 10:39:24 2021
# diagnose sys sdwan health-check Health Check(Passive_Check): Seq(1 port15): state(alive), packet-loss(0.000%) latency(60.000), jitter(0.750) sla_map=0x3 Seq(2 port16): state(alive), packet-loss(0.000%) latency(10.000), jitter(5.000) sla_map=0x3
# diagnose sys sdwan service 2
Service(2): Address Mode(IPV4) flags=0x200
Gen(1), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(1 port15), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(2 port16), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
Src address(1):
172.16.205.0-172.16.205.255
Dst address(1):
8.8.8.8-8.8.8.8
When the latency is increased to 610ms on port15, the SLA is broken and pings are sent on port16:
# diagnose sys sdwan health-check Health Check(Passive_Check): Seq(1 port15): state(alive), packet-loss(0.000%) latency(610.000), jitter(2.500) sla_map=0x3 Seq(2 port16): state(alive), packet-loss(0.000%) latency(50.000), jitter(21.000) sla_map=0x3
# diagnose sys sdwan service 2
Service(2): Address Mode(IPV4) flags=0x200
Gen(6), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(2 port16), alive, sla(0x1), gid(1), cfg_order(1), cost(0), selected
2: Seq_num(1 port15), alive, sla(0x0), gid(2), cfg_order(0), cost(0), selected
Src address(1):
172.16.205.0-172.16.205.255
Dst address(1):
8.8.8.8-8.8.8.8