Fortinet black logo

Administration Guide

Passive health-check measurement by internet service and application

Passive health-check measurement by internet service and application

Passive health measurement supports passive detection for each internet service and application.

If internet services or applications are defined in an SD-WAN rule with passive health check, SLA information for each service or application will be differentiated and collected. SLA metrics (latency, jitter, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.

In this example, three SD-WAN rules are created:

  • Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.

  • Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.

  • Rule 3: Best quality (latency) using passive SLA for all other traffic.

After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.

To configure the SD-WAN:
  1. Configure the SD-WAN members:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "port15"
                set gateway 172.16.209.2
            next
        end
    end
  2. Configure the passive mode health check:

    config health-check
        edit "Passive_HC"
            set detect-mode passive
            set members 1 2
        next
    end
  3. Configure SD-WAN service rules:

    config service
        edit 1
            set name "1"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-name "Alibaba-Web" "Amazon-Web"
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    //Enable "passive application measurement", it is a new command which is introduced in this project.
        next
        edit 2
            set name "2"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 18155 31077
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    ////Enable "passive application measurement"
        next
        edit 3
            set name "3"
            set mode priority
            set dst "all"
            set src "172.16.205.0"
            set health-check "Passive_HC"
            set priority-members 1 2
        next
    end
  4. Configure SD-WAN routes:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  5. Configure the firewall policy with passive WAN health measurement enabled:

    config firewall policy
        edit 1
            set uuid 972345c6-1595-51ec-66c5-d705d266f712
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "172.16.205.0"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set passive-wan-health-measurement enable
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
            set auto-asic-offload disable
        next
    end
To verify the results:
  1. On the PC, open the browser and visit the internet services and applications.

  2. On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:

    # diagnose sys link-monitor-passive interface
    
    Interface dmz (5):
           Default(0x00000000): latency=3080.0  11:57:54, jitter=5.0     11:58:08, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=30.0    11:30:06, jitter=25.0    11:29:13, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   12:00:35, jitter=2.5     12:00:30, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=10.0    11:31:24, jitter=10.0    11:30:30, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=80.0    11:31:52, jitter=35.0    11:32:07, pktloss=0.0  % NA
    
    Interface port15 (27):
           Default(0x00000000): latency=100.0   12:00:42, jitter=0.0     12:00:42, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=30.0    11:56:05, jitter=0.0     11:55:21, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=0.0     11:26:08, jitter=35.0    11:27:08, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   11:33:34, jitter=0.0     11:33:50, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=0.0     11:26:29, jitter=0.0     11:29:03, pktloss=0.0  % NA
  3. Verify that the SLA metrics on the members are calculated as expected:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 15.000, selected           // Average latency of "Alibaba-Web" and "Amazon-Web" on port15:     15.000 = (0.0+30.0)/2
        2: Seq_num(1 dmz), alive, latency: 55.000, selected              // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz:         55.000 = (30.0+80.0)/2
      Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(1 dmz), alive, latency: 55.000, selected               // Average latency of "Netflix" and "YouTube" on dmz:        55.000 = (10.0+100.0)/2
        2: Seq_num(2 port15), alive, latency: 50.000, selected           // Average latency of "Netflix" and "YouTube" on port15:     50.000 = (0.0+100.0)/2 
      Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 46.000, selected          // Average latency of all TCP traffic on port15:       46   = (100.0+30.0+0.0+100.0+0.0)/5
        2: Seq_num(1 dmz), alive, latency: 660.000, selected           // Average latency of all TCP traffic on dmz:           660 = (3080.0+30.0+100.0+10.0+80.0)/5
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255

Passive health-check measurement by internet service and application

Passive health measurement supports passive detection for each internet service and application.

If internet services or applications are defined in an SD-WAN rule with passive health check, SLA information for each service or application will be differentiated and collected. SLA metrics (latency, jitter, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.

In this example, three SD-WAN rules are created:

  • Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.

  • Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.

  • Rule 3: Best quality (latency) using passive SLA for all other traffic.

After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.

To configure the SD-WAN:
  1. Configure the SD-WAN members:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "port15"
                set gateway 172.16.209.2
            next
        end
    end
  2. Configure the passive mode health check:

    config health-check
        edit "Passive_HC"
            set detect-mode passive
            set members 1 2
        next
    end
  3. Configure SD-WAN service rules:

    config service
        edit 1
            set name "1"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-name "Alibaba-Web" "Amazon-Web"
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    //Enable "passive application measurement", it is a new command which is introduced in this project.
        next
        edit 2
            set name "2"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 18155 31077
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    ////Enable "passive application measurement"
        next
        edit 3
            set name "3"
            set mode priority
            set dst "all"
            set src "172.16.205.0"
            set health-check "Passive_HC"
            set priority-members 1 2
        next
    end
  4. Configure SD-WAN routes:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  5. Configure the firewall policy with passive WAN health measurement enabled:

    config firewall policy
        edit 1
            set uuid 972345c6-1595-51ec-66c5-d705d266f712
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "172.16.205.0"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set passive-wan-health-measurement enable
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
            set auto-asic-offload disable
        next
    end
To verify the results:
  1. On the PC, open the browser and visit the internet services and applications.

  2. On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:

    # diagnose sys link-monitor-passive interface
    
    Interface dmz (5):
           Default(0x00000000): latency=3080.0  11:57:54, jitter=5.0     11:58:08, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=30.0    11:30:06, jitter=25.0    11:29:13, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   12:00:35, jitter=2.5     12:00:30, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=10.0    11:31:24, jitter=10.0    11:30:30, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=80.0    11:31:52, jitter=35.0    11:32:07, pktloss=0.0  % NA
    
    Interface port15 (27):
           Default(0x00000000): latency=100.0   12:00:42, jitter=0.0     12:00:42, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=30.0    11:56:05, jitter=0.0     11:55:21, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=0.0     11:26:08, jitter=35.0    11:27:08, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   11:33:34, jitter=0.0     11:33:50, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=0.0     11:26:29, jitter=0.0     11:29:03, pktloss=0.0  % NA
  3. Verify that the SLA metrics on the members are calculated as expected:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 15.000, selected           // Average latency of "Alibaba-Web" and "Amazon-Web" on port15:     15.000 = (0.0+30.0)/2
        2: Seq_num(1 dmz), alive, latency: 55.000, selected              // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz:         55.000 = (30.0+80.0)/2
      Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(1 dmz), alive, latency: 55.000, selected               // Average latency of "Netflix" and "YouTube" on dmz:        55.000 = (10.0+100.0)/2
        2: Seq_num(2 port15), alive, latency: 50.000, selected           // Average latency of "Netflix" and "YouTube" on port15:     50.000 = (0.0+100.0)/2 
      Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 46.000, selected          // Average latency of all TCP traffic on port15:       46   = (100.0+30.0+0.0+100.0+0.0)/5
        2: Seq_num(1 dmz), alive, latency: 660.000, selected           // Average latency of all TCP traffic on dmz:           660 = (3080.0+30.0+100.0+10.0+80.0)/5
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255