Passive health-check measurement by internet service and application
Passive health measurement supports passive detection for each internet service and application.
If internet services or applications are defined in an SD-WAN rule with passive health check, SLA information for each service or application will be differentiated and collected. SLA metrics (latency, jitter, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.
In this example, three SD-WAN rules are created:
-
Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.
-
Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.
-
Rule 3: Best quality (latency) using passive SLA for all other traffic.
After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.
To configure the SD-WAN:
-
Configure the SD-WAN members:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 next edit 2 set interface "port15" set gateway 172.16.209.2 next end end -
Configure the passive mode health check:
config health-check edit "Passive_HC" set detect-mode passive set members 1 2 next end -
Configure SD-WAN service rules:
config service edit 1 set name "1" set mode priority set src "172.16.205.0" set internet-service enable set internet-service-name "Alibaba-Web" "Amazon-Web" set health-check "Passive_HC" set priority-members 1 2 set passive-measurement enable //Enable "passive application measurement", it is a new command which is introduced in this project. next edit 2 set name "2" set mode priority set src "172.16.205.0" set internet-service enable set internet-service-app-ctrl 18155 31077 set health-check "Passive_HC" set priority-members 1 2 set passive-measurement enable ////Enable "passive application measurement" next edit 3 set name "3" set mode priority set dst "all" set src "172.16.205.0" set health-check "Passive_HC" set priority-members 1 2 next end -
Configure SD-WAN routes:
config router static edit 1 set distance 1 set sdwan-zone "virtual-wan-link" next end -
Configure the firewall policy with passive WAN health measurement enabled:
config firewall policy edit 1 set uuid 972345c6-1595-51ec-66c5-d705d266f712 set srcintf "port5" set dstintf "virtual-wan-link" set action accept set srcaddr "172.16.205.0" set dstaddr "all" set schedule "always" set service "ALL" set passive-wan-health-measurement enable set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set auto-asic-offload disable next end
To verify the results:
-
On the PC, open the browser and visit the internet services and applications.
-
On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:
# diagnose sys link-monitor-passive interface Interface dmz (5): Default(0x00000000): latency=3080.0 11:57:54, jitter=5.0 11:58:08, pktloss=0.0 % NA Alibaba-Web(0x00690001): latency=30.0 11:30:06, jitter=25.0 11:29:13, pktloss=0.0 % NA YouTube(0x00007965): latency=100.0 12:00:35, jitter=2.5 12:00:30, pktloss=0.0 % NA Netflix(0x000046eb): latency=10.0 11:31:24, jitter=10.0 11:30:30, pktloss=0.0 % NA Amazon-Web(0x00060001): latency=80.0 11:31:52, jitter=35.0 11:32:07, pktloss=0.0 % NA Interface port15 (27): Default(0x00000000): latency=100.0 12:00:42, jitter=0.0 12:00:42, pktloss=0.0 % NA Amazon-Web(0x00060001): latency=30.0 11:56:05, jitter=0.0 11:55:21, pktloss=0.0 % NA Alibaba-Web(0x00690001): latency=0.0 11:26:08, jitter=35.0 11:27:08, pktloss=0.0 % NA YouTube(0x00007965): latency=100.0 11:33:34, jitter=0.0 11:33:50, pktloss=0.0 % NA Netflix(0x000046eb): latency=0.0 11:26:29, jitter=0.0 11:29:03, pktloss=0.0 % NA -
Verify that the SLA metrics on the members are calculated as expected:
# diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(2 port15), alive, latency: 15.000, selected // Average latency of "Alibaba-Web" and "Amazon-Web" on port15: 15.000 = (0.0+30.0)/2 2: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz: 55.000 = (30.0+80.0)/2 Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0) Src address(1): 172.16.205.0-172.16.205.255 Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency of "Netflix" and "YouTube" on dmz: 55.000 = (10.0+100.0)/2 2: Seq_num(2 port15), alive, latency: 50.000, selected // Average latency of "Netflix" and "YouTube" on port15: 50.000 = (0.0+100.0)/2 Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077) Src address(1): 172.16.205.0-172.16.205.255 Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(2 port15), alive, latency: 46.000, selected // Average latency of all TCP traffic on port15: 46 = (100.0+30.0+0.0+100.0+0.0)/5 2: Seq_num(1 dmz), alive, latency: 660.000, selected // Average latency of all TCP traffic on dmz: 660 = (3080.0+30.0+100.0+10.0+80.0)/5 Src address(1): 172.16.205.0-172.16.205.255 Dst address(1): 0.0.0.0-255.255.255.255