Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.9 Administration Guide
    7.2.9
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    SD-WAN application monitor using FortiMonitor

    SD-WAN application monitor using FortiMonitor

    The agent-based health check detection mode works with FortiMonitor to provide more accurate user level performance statistics. FortiMonitor acts as an agent and sends health check probes on behalf of the monitored FortiGate interface. FortiMonitor mimics a real user, and the probes return a more accurate application level performance. The SLA information collected from FortiMonitor is sent back to the FortiGate as the monitored interface's SLA information. These statistics can be used to gain a deeper insight into the SD-WAN traffic performance.

    config system sdwan
    config health-check
        edit <name>
            set detect-mode agent-based
        next
    end
    config service
        edit <id>
            set agent-exclusive {enable | disable}
        next
    end
end

    The following diagnostic commands can be used to view agent related metrics:

    # diagnose sys link-monitor-passive agent <option>

    list

    List all the collected reports.

    list-app

    List the details of each application.

    flush

    Flush all the collected reports.

    flush-app

    Flush the details of all the applications.

    agent-oif-map

    List the agent and interface maps.

    Example

    In this example, routing is achieved through SD-WAN rules. The agent-based health check detection mode creates the FortiMonitor IP address and FortiGate SD-WAN interface map.

    This example assumes that the FortiMonitor has already been added to the Security Fabric (see Configuring FortiMonitor for detailed instructions). The FortiMonitor OnSight (client) can be configured for two or more IP addresses, and each IP address is capable of sending application probes to user-specified applications.

    Specific routing is implemented on the FortiGate to ensure each FortiMonitor client collects performance statistics for only one SD-WAN member interface. The FortiMonitor is configured to send application-specific probes to measure that application’s performance on a given SD-WAN member. The FortiGate uses the FortiMonitor performance statistics to determine link quality based on application performance by mapping the health check. The link quality for a given application can then be used to steer the matching application traffic with greater accuracy.

    To configure the FortiGate:

    1. Configure the address objects for each FortiMonitor client:

      config firewall address
    edit "FMR_OnSight1"
        set subnet 10.2.1.80 255.255.255.255
    next
    edit "MR_OnSight2"
        set subnet 10.2.1.81 255.255.255.255
    next
end

    2. Configure the SD-WAN rules to ensure each OnSight client uses only one SD-WAN member, and map the FortiMonitor IP to an SD-WAN member (interface):

      config system sdwan
    config service
        edit 1
            set dst "all"
            set src "FMR_OnSight1"
            set priority-members 1
            set agent-exclusive enable
        next
        edit 2
            set dst "all"
            set src "FMR_OnSight2"
            set priority-members 2
            set agent-exclusive enable
        next
    end
end

    3. Configure the SD-WAN health check:

      config health-check
    edit "FMR"
        set detect-mode agent-based
        set members 1 2
        config sla
            edit 1
            next
        end
    next
end
    To verify the SD-WAN member performance:

    1. Verify the health check diagnostics:

      # diagnose sys sdwan health-check 
Health Check(FMR): 
Seq(1 v1236): state(alive), packet-loss(0.000%) latency(183.214), jitter(0.124), mos(4.225), bandwidth-up(999992), bandwidth-dw(999976), bandwidth-bi(1999968) sla_map=0x0
Seq(2 v1237): state(alive), packet-loss(0.000%) latency(182.946), jitter(0.100), mos(4.226), bandwidth-up(999998), bandwidth-dw(999993), bandwidth-bi(1999991) sla_map=0x0

    2. Verify the collected reports:

      # diagnose sys link-monitor-passive agent list 
       v1236( 23) | src=10.2.1.80 | latency=183.2   20:27:24 | jitter=0.1     20:27:24 | pktloss=0.0  % 20:27:24
       v1237( 24) | src=10.2.1.81 | latency=182.9   20:27:24 | jitter=0.1     20:27:24 | pktloss=0.0  % 20:27:24

    3. Verify the details of each application:

      # diagnose sys link-monitor-passive agent list-app 
app_id=0x00000000, app=fortinet.com, dev=v1236(23)
        latency=183.2, jitter=0.1, pktloss=0.0,ntt=99.2,srt=384.8,app_err=0.0, 20:28:25
app_id=0x00000000, app=fortinet.com, dev=v1237(24)
        latency=183.1, jitter=0.5, pktloss=0.0,ntt=104.4,srt=377.8,app_err=0.0, 20:28:25

    4. Verify the agent and interface maps:

      # diagnose sys link-monitor-passive agent agent-oif-map 
oif=v1236(23), src=10.2.1.80
oif=v1237(24), src=10.2.1.81
    Previous
    Next

    SD-WAN application monitor using FortiMonitor

    SD-WAN application monitor using FortiMonitor

    The agent-based health check detection mode works with FortiMonitor to provide more accurate user level performance statistics. FortiMonitor acts as an agent and sends health check probes on behalf of the monitored FortiGate interface. FortiMonitor mimics a real user, and the probes return a more accurate application level performance. The SLA information collected from FortiMonitor is sent back to the FortiGate as the monitored interface's SLA information. These statistics can be used to gain a deeper insight into the SD-WAN traffic performance.

    config system sdwan
    config health-check
        edit <name>
            set detect-mode agent-based
        next
    end
    config service
        edit <id>
            set agent-exclusive {enable | disable}
        next
    end
end

    The following diagnostic commands can be used to view agent related metrics:

    # diagnose sys link-monitor-passive agent <option>

    list

    List all the collected reports.

    list-app

    List the details of each application.

    flush

    Flush all the collected reports.

    flush-app

    Flush the details of all the applications.

    agent-oif-map

    List the agent and interface maps.

    Example

    In this example, routing is achieved through SD-WAN rules. The agent-based health check detection mode creates the FortiMonitor IP address and FortiGate SD-WAN interface map.

    This example assumes that the FortiMonitor has already been added to the Security Fabric (see Configuring FortiMonitor for detailed instructions). The FortiMonitor OnSight (client) can be configured for two or more IP addresses, and each IP address is capable of sending application probes to user-specified applications.

    Specific routing is implemented on the FortiGate to ensure each FortiMonitor client collects performance statistics for only one SD-WAN member interface. The FortiMonitor is configured to send application-specific probes to measure that application’s performance on a given SD-WAN member. The FortiGate uses the FortiMonitor performance statistics to determine link quality based on application performance by mapping the health check. The link quality for a given application can then be used to steer the matching application traffic with greater accuracy.

    To configure the FortiGate:

    1. Configure the address objects for each FortiMonitor client:

      config firewall address
    edit "FMR_OnSight1"
        set subnet 10.2.1.80 255.255.255.255
    next
    edit "MR_OnSight2"
        set subnet 10.2.1.81 255.255.255.255
    next
end

    2. Configure the SD-WAN rules to ensure each OnSight client uses only one SD-WAN member, and map the FortiMonitor IP to an SD-WAN member (interface):

      config system sdwan
    config service
        edit 1
            set dst "all"
            set src "FMR_OnSight1"
            set priority-members 1
            set agent-exclusive enable
        next
        edit 2
            set dst "all"
            set src "FMR_OnSight2"
            set priority-members 2
            set agent-exclusive enable
        next
    end
end

    3. Configure the SD-WAN health check:

      config health-check
    edit "FMR"
        set detect-mode agent-based
        set members 1 2
        config sla
            edit 1
            next
        end
    next
end
    To verify the SD-WAN member performance:

    1. Verify the health check diagnostics:

      # diagnose sys sdwan health-check 
Health Check(FMR): 
Seq(1 v1236): state(alive), packet-loss(0.000%) latency(183.214), jitter(0.124), mos(4.225), bandwidth-up(999992), bandwidth-dw(999976), bandwidth-bi(1999968) sla_map=0x0
Seq(2 v1237): state(alive), packet-loss(0.000%) latency(182.946), jitter(0.100), mos(4.226), bandwidth-up(999998), bandwidth-dw(999993), bandwidth-bi(1999991) sla_map=0x0

    2. Verify the collected reports:

      # diagnose sys link-monitor-passive agent list 
       v1236( 23) | src=10.2.1.80 | latency=183.2   20:27:24 | jitter=0.1     20:27:24 | pktloss=0.0  % 20:27:24
       v1237( 24) | src=10.2.1.81 | latency=182.9   20:27:24 | jitter=0.1     20:27:24 | pktloss=0.0  % 20:27:24

    3. Verify the details of each application:

      # diagnose sys link-monitor-passive agent list-app 
app_id=0x00000000, app=fortinet.com, dev=v1236(23)
        latency=183.2, jitter=0.1, pktloss=0.0,ntt=99.2,srt=384.8,app_err=0.0, 20:28:25
app_id=0x00000000, app=fortinet.com, dev=v1237(24)
        latency=183.1, jitter=0.5, pktloss=0.0,ntt=104.4,srt=377.8,app_err=0.0, 20:28:25

    4. Verify the agent and interface maps:

      # diagnose sys link-monitor-passive agent agent-oif-map 
oif=v1236(23), src=10.2.1.80
oif=v1237(24), src=10.2.1.81
    Previous
    Next