Fortinet black logo

Administration Guide

Override quality comparisons in SD-WAN longest match rule matching

Override quality comparisons in SD-WAN longest match rule matching

In SD-WAN rules, the longest match routes will override the quality comparisons when all of the specific routes are out of SLA.

With this feature in an SD-WAN rule:

  • Lowest Cost (sla): Even though all of the egress ports on specific routes (longest matched routes) are out of SLA, the SD-WAN rule still selects the first configured or lower-cost port from the egress ports to forward traffic.

  • Best Quality (priority): Even though the egress ports on specific routes (longest matched routes) have worse quality that all other ports on less specific routes, the SD-WAN rule still selects the best quality port from the ports on specific routes to forward traffic.

This features avoids a situation where, if the members on specific routes (longest matched routes) are out of SLA or have worse quality, the traffic might be forwarded to the wrong members in SLA (higher quality) on the default or aggregate routes.

Example

In this example, four SD-WAN members in two zones are configured. The remote PC (PC_2 - 10.1.100.22) is accessible on port15 and port16, even though there are valid routes for all of the SD-WAN members. A single SD-WAN service rule is configured that allows traffic to balanced between all four of the members, but only chooses between port15 and port16 for the specific 10.1.100.22 address. If neither port15 nor port16 meet the SLAs, traffic will be forwarded on one of these interfaces, instead of on port1 or dmz.

A performance SLA health check is configured to monitor 10.1.100.2. An SD-WAN service rule in Lowest Cost (SLA) mode is configured to select the best interface to steer the traffic. In the rule, the method of selecting a member if more than one meets the SLA (tie-break) is configured to select members that meet the SLA and match the longest prefix in the routing table (fib-best-match). If there are multiple ECMP routes with the same destination, the FortiGate will take the longest (or best) match in the routing table, and choose from those interface members.

To configure the SD-WAN:
config system sdwan
    config zone
        edit "virtual-wan-link"
        next
        edit "z1"
        next
    end
    config members
        edit 1
            set interface "port1"
            set gateway 172.16.200.2
        next
        edit 2
            set interface "dmz"
            set gateway 172.16.208.2
        next
        edit 3
            set interface "port15"
            set zone "z1"
            set gateway 172.16.209.2
        next
        edit 4
            set interface "port16"
            set zone "z1"
            set gateway 172.16.210.2
        next
    end
    config health-check
        edit "1"
            set server "10.1.100.2"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "1"
            set mode sla
            set dst "all"
            set src "172.16.205.0"
            config sla
                edit "1"
                    set id 1
                next
            end
            set priority-members 1 2 3 4
            set tie-break fib-best-match
        next
    end
end
To check the results:
  1. The debug shows the SD-WAN service rule. Both port15 and port16 are up, but out of SLA:

    FGT_A (root) # diagnose sys sdwan service
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(4):
        1: Seq_num(1 port1), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected 
        2: Seq_num(2 dmz), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected 
        3: Seq_num(3 port15), alive, sla(0x0), gid(0), cfg_order(2), cost(0), selected 
        4: Seq_num(4 port16), alive, sla(0x0), gid(0), cfg_order(3), cost(0), selected  
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255
  2. The routing table shows that there are ECMP default routes on all of the members, and ECMP specific (or best) routes only on port15 and port16:

    FGT_A (root) # get router info routing-table static         
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 172.16.200.2, port1
                             [1/0] via 172.16.208.2, dmz
                             [1/0] via 172.16.209.2, port15
                             [1/0] via 172.16.210.2, port16
    S       10.1.100.22/32 [10/0] via 172.16.209.2, port15
                                      [10/0] via 172.16.210.2, port16
    

    Because tie-break is set to fib-best-match, even though both port15 and port16 are out of SLA, the first configured member of the two (port15) is selected to forward traffic to PC_2. For all other traffic, the first configured member from all of the interfaces that are in SLA is selected to forward traffic (port1).

  3. On PC-1, generate traffic to PC-2:

    ping 10.1.100.22
  4. On FGT_A, sniff for traffic sent to PC_2:

    # diagnose sniffer packet any 'host 10.1.100.22' 4
    interfaces=[any]
    filters=[host 10.1.100.22]
    2.831299 port5 in 172.16.205.11 -> 10.1.100.22: icmp: echo request
    2.831400 port15 out 172.16.205.11 -> 10.1.100.22: icmp: echo request

    Traffic is leaving on port15, the first configured member from port15 and port16, even though both are out of SLA.

Override quality comparisons in SD-WAN longest match rule matching

In SD-WAN rules, the longest match routes will override the quality comparisons when all of the specific routes are out of SLA.

With this feature in an SD-WAN rule:

  • Lowest Cost (sla): Even though all of the egress ports on specific routes (longest matched routes) are out of SLA, the SD-WAN rule still selects the first configured or lower-cost port from the egress ports to forward traffic.

  • Best Quality (priority): Even though the egress ports on specific routes (longest matched routes) have worse quality that all other ports on less specific routes, the SD-WAN rule still selects the best quality port from the ports on specific routes to forward traffic.

This features avoids a situation where, if the members on specific routes (longest matched routes) are out of SLA or have worse quality, the traffic might be forwarded to the wrong members in SLA (higher quality) on the default or aggregate routes.

Example

In this example, four SD-WAN members in two zones are configured. The remote PC (PC_2 - 10.1.100.22) is accessible on port15 and port16, even though there are valid routes for all of the SD-WAN members. A single SD-WAN service rule is configured that allows traffic to balanced between all four of the members, but only chooses between port15 and port16 for the specific 10.1.100.22 address. If neither port15 nor port16 meet the SLAs, traffic will be forwarded on one of these interfaces, instead of on port1 or dmz.

A performance SLA health check is configured to monitor 10.1.100.2. An SD-WAN service rule in Lowest Cost (SLA) mode is configured to select the best interface to steer the traffic. In the rule, the method of selecting a member if more than one meets the SLA (tie-break) is configured to select members that meet the SLA and match the longest prefix in the routing table (fib-best-match). If there are multiple ECMP routes with the same destination, the FortiGate will take the longest (or best) match in the routing table, and choose from those interface members.

To configure the SD-WAN:
config system sdwan
    config zone
        edit "virtual-wan-link"
        next
        edit "z1"
        next
    end
    config members
        edit 1
            set interface "port1"
            set gateway 172.16.200.2
        next
        edit 2
            set interface "dmz"
            set gateway 172.16.208.2
        next
        edit 3
            set interface "port15"
            set zone "z1"
            set gateway 172.16.209.2
        next
        edit 4
            set interface "port16"
            set zone "z1"
            set gateway 172.16.210.2
        next
    end
    config health-check
        edit "1"
            set server "10.1.100.2"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "1"
            set mode sla
            set dst "all"
            set src "172.16.205.0"
            config sla
                edit "1"
                    set id 1
                next
            end
            set priority-members 1 2 3 4
            set tie-break fib-best-match
        next
    end
end
To check the results:
  1. The debug shows the SD-WAN service rule. Both port15 and port16 are up, but out of SLA:

    FGT_A (root) # diagnose sys sdwan service
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(4):
        1: Seq_num(1 port1), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected 
        2: Seq_num(2 dmz), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected 
        3: Seq_num(3 port15), alive, sla(0x0), gid(0), cfg_order(2), cost(0), selected 
        4: Seq_num(4 port16), alive, sla(0x0), gid(0), cfg_order(3), cost(0), selected  
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255
  2. The routing table shows that there are ECMP default routes on all of the members, and ECMP specific (or best) routes only on port15 and port16:

    FGT_A (root) # get router info routing-table static         
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 172.16.200.2, port1
                             [1/0] via 172.16.208.2, dmz
                             [1/0] via 172.16.209.2, port15
                             [1/0] via 172.16.210.2, port16
    S       10.1.100.22/32 [10/0] via 172.16.209.2, port15
                                      [10/0] via 172.16.210.2, port16
    

    Because tie-break is set to fib-best-match, even though both port15 and port16 are out of SLA, the first configured member of the two (port15) is selected to forward traffic to PC_2. For all other traffic, the first configured member from all of the interfaces that are in SLA is selected to forward traffic (port1).

  3. On PC-1, generate traffic to PC-2:

    ping 10.1.100.22
  4. On FGT_A, sniff for traffic sent to PC_2:

    # diagnose sniffer packet any 'host 10.1.100.22' 4
    interfaces=[any]
    filters=[host 10.1.100.22]
    2.831299 port5 in 172.16.205.11 -> 10.1.100.22: icmp: echo request
    2.831400 port15 out 172.16.205.11 -> 10.1.100.22: icmp: echo request

    Traffic is leaving on port15, the first configured member from port15 and port16, even though both are out of SLA.