Speed tests run from the hub to the spokes in dial-up IPsec tunnels

In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically populate the egress bandwidth to individual dial-up tunnels from the hub.

SD-WAN members on a spoke can switch routes when the speed test is running from the hub to the spoke. The speed test results can be cached for reuse when a tunnel comes back after going down.

CLI commands

Allow upload speed tests to be run from the hub to spokes on demand for dial-up IPsec tunnel:
config system speed-test-schedule
    edit <interface>
        set dynamic-server {enable | disable} 


The dial-up IPsec tunnel interface on the hub.

dynamic-server {enable | disable}

Enable/disable the dynamic speed test server (default = disable).


To limit the maximum and minimum bandwidth used in the speed test, enable set update-inbandwidth and set update-outbandwidth. See Scheduled interface speedtest for more information.

config system global
   set speedtest-server {enable | disable}

speedtest-server {enable | disable}

Enable/disable the speed test server on the spoke (default = disable). This setting must be enabled on spoke FortiGates. This enables iPerf in server mode, which listens on the default iPerf TCP port 5201.

Allow an SD-WAN member on the spoke to switch routes when it is on speed test from the hub to spokes:
config system sdwan
    set speedtest-bypass-routing {enable | disable}
    config neighbor
        edit <bgp neighbor>
            set mode speedtest

speedtest-bypass-routing {enable | disable}

Enable/disable bypass routing when doing a speed test on an SD-WAN member (default = disable).

set mode speedtest

Use the speed test to select the neighbor.

Manually run uploading speed test on the physical interfaces of each tunnel of an dial-up IPsec interface:
execute speed-test-dynamic <interface> <tunnel_name> <'y'/'n'> <max-out> <min-out>


IPsec phase1 interface name.


The tunnel name, or all for all tunnels.


Apply the result to the tunnels' shaper or not.


The maximum speed used in a speed test, in kbps.


The minimum speed used in a speed test, in kbps.

Manually run a non-blocking uploading speed test:
diagnose netlink interface speed-test-tunnel <interface> <tunnel_name>
Debug and test commands:

diagnose debug application speedtest <int>

Enable debug of the speed test module in the forticron daemon.

diagnose debug application speedtestd <int>

Enable debug of the speed test server daemon.

diagnose test application forticron 9

List the scheduled speed tests.

diagnose test application forticron 10

Show the cached speed test results.

diagnose test application forticron 11

Write the cached speed test results to disk.

diagnose test application forticron 12

Load the speed test results from disk.

diagnose test application forticron 99

Cancel all pending speed tests.


In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.

The VPN interfaces and IP addresses are: