Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check measurements using session information that is captured on firewall policies that have Passive Health Check (passive-wan-health-measurement) enabled. Passive measurements analyze session information that is gathered from various TCP sessions to determine the jitter, latency, and packet loss.

Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.

By default, active WAN health measurement is enabled when a new health check is created. It can be changed to passive or prefer passive:


Health is measured using traffic, without probes. No link health monitor needs to be configured.


Health is measured using traffic when there is traffic, and using probes when there is no traffic. A link health monitor must be configured, see Link health monitor for details.


When passive-wan-health-measurement is enabled, auto-asic-offload will be disabled.


In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the SD-WAN policy.

Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15, the passive health check trigger threshold is exceeded and traffic is rerouted to port16.

To configure the SD-WAN in the GUI:
  1. Create the SD-WAN zone:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Zone.

    3. Enter a name for the zone, such as SD-WAN.

    4. Click OK.

  2. Create the SD-WAN members:

    1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    2. Click Create New > SD-WAN Member.

    3. Set Interface to port15, SD-WAN Zone to SD-WAN, and Gateway set to

    4. Click OK.

    5. Click Create New > SD-WAN Member again.

    6. Set Interface to port16, SD-WAN Zone to SD-WAN, and Gateway set to

    7. Click OK.

  3. Create a performance SLA:

    1. Go to Network > SD-WAN and select the Performance SLAs tab.

    2. Edit an existing health check, or create a new one.

    3. Set Probe mode to Passive.

    4. Set Participants to Specify and add port15 and port16.

    5. Configure two SLA targets. Note that the second SLA target must be configured in the CLI.

    6. Configure the remaining settings as needed.

    7. Click OK.

      The SLA list shows the probe mode in the Detect Server column, if the probe mode is passive or prefer passive.


      Probe packets can only be disabled in the CLI and when the probe mode is not passive.

  4. Create SD-WAN rules:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. Configure the first rule:



      Source address


      Click in the field, and in the Select Entries pane search for YouTube and select all of the entries


      Maximize Bandwidth (SLA)

      Interface preference

      port15 and port16

      Required SLA target


    3. Click OK.

    4. Click Create New again and configure the second rule: