Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Digital Experience

Digital Experience

Digital experience monitoring (DEM) serves as a valuable tool for network administrators in diagnosing connectivity and network issues for remote users along with monitoring their real-time network bandwidth, CPU, memory, and hard disk usage. It also enables tracing end-to-end network performance, from an endpoint to a FortiSASE PoP and to a SaaS application using a DEM agent installed on the endpoint. DEM provides insights into potential network issues between a FortiClient endpoint, FortiSASE PoP, SaaS applications, and the internet service providers (ISP) connecting them.

Note

DEM requires an Advanced remote users FortiSASE license or a Comprehensive remote users FortiSASE license. See the SASE and Zero Trust Ordering Guide. It also requires installing the DEM agent on endpoints.

For new FortiSASE instances with an Advanced or Comprehensive license, the DEM agent is packaged along with the FortiClient installer and available to download as a single executable file from FortiSASE when users download FortiClient. See Managed endpoint client onboarding.

For existing FortiSASE instances with an Advanced or Comprehensive license, endpoint users are prompted to begin upgrading to a FortiClient version that supports the DEM agent and the DEM agent is installed automatically during this upgrade.

To uninstall the DEM agent, do the following:

  • On macOS, use the uninstaller tool to uninstall FortiClient and the DEM agent together.

  • On Windows, use the installer package to uninstall FortiClient and the DEM agent together. You cannot uninstall DEM agent using Add or Remove Program in Control Panel.
To navigate DEM:
  1. Go to Network > Managed endpoints to see the list of managed and unmanaged endpoints.
  2. Select an endpoint and click View Endpoint Details. A new slide in appears and the following endpoint details are visible:

    GUI option

    Description

    Details

    Shows general endpoint information such as the hostname, management connection to FortiSASE, and VPN status. See Managed Endpoints. DEM displays information on all detected network interfaces and their IP addresses, and a real-time network bandwidth graph that shows total bandwidth used by endpoint.

    Hardware

    Shows information regarding endpoint hardware such as vendor, model, and CPU. It displays a real-time graph that shows total hard disk, CPU, and memory usage on the endpoint.

    Digital Experience

  3. Shows DEM agent status: offline, online, or agent is not installed. To get end-to-end network performance visibility from the endpoint to a particular SaaS application, run a trace job for the selected endpoint. SeeTo run a trace job on an endpoint:.

    4. DEM displays a list of SaaS applications and health check metrics for first-mile connectivity between the geographical PoPs provisioned for your FortiSASE instance and SaaS applications, as the following diagram shows. See Digital Experience Monitoring.

Running a trace job on an endpoint

FortiSASE can run a trace job on the endpoint using DEM agent. This assists in troubleshooting various performance bottlenecks in the network by providing link metrics such as average RTT and packet loss on various hops of the network.

To run a trace job on an endpoint:
  1. Go to Network > Managed Endpoints.
  2. Select the desired endpoint and click View Endpoint Details. A slide in appears.
  3. In the Digital Experience column, the DEM agent status must be Online. From the SaaS application dropdown list, select an application to test the connection to from the selected endpoint.
  4. Under Monitor for, configure a suitable time to run the trace job for the specified duration.
  5. Click Start to schedule the job.
    Note

    If you interrupt the current running job by clicking Stop, FortiSASE deletes the historical traceroute data collected so far and you must restart the job.

    The first trace job output displays within five minutes after clicking Start, after which FortiSASE presents output every three minutes until the selected Monitor for duration expires. FortiSASE stores the results displayed for three days only for the latest trace job. To analyze the trace job, see Analyzing trace job result.

Note

To run the trace job, the following must be true:

  • DEM agent is installed on endpoint.
  • DEM agent status must be Online under Digital Experience tab under Network > Managed Endpoints> View Endpoint Details for selected endpoint.
  • Application Control security profile and internet access firewall policy must not block ping or ICMP traffic.

Analyzing trace job result

The trace job output gives information on average RTT (ms) and packet loss (%) on various hops of the network. To identify the hop accurately, understanding whether the selected endpoint is connected to the FortiSASE VPN tunnel for secure internet access (SIA) or not is important.

When an endpoint is connected to the FortiSASE VPN tunnel, it accesses SaaS applications using SIA. Thus, the first and second hops of the trace are the entry and exit interface IP address of the FortiSASE PoP that the endpoint is connected to. The remaining hops are the ISPs in between until the last hop, which is the selected SaaS application.

When an endpoint is not connected to the FortiSASE tunnel, it accesses SaaS applications directly using its local internet breakout bypassing the FortiSASE PoP. Thus, the performance metrics (average RTT and packet loss) displayed do not include the FortiSASE PoP.

Note

Some ISPs do not respond to the trace packets that the DEM agent sends and requests time out. For such hops, their entry is marked as *** in the trace result output.

Each FortiSASE administrator can only run one trace job on unique endpoints simultaneously.
Previous
Next

Digital Experience

Digital experience monitoring (DEM) serves as a valuable tool for network administrators in diagnosing connectivity and network issues for remote users along with monitoring their real-time network bandwidth, CPU, memory, and hard disk usage. It also enables tracing end-to-end network performance, from an endpoint to a FortiSASE PoP and to a SaaS application using a DEM agent installed on the endpoint. DEM provides insights into potential network issues between a FortiClient endpoint, FortiSASE PoP, SaaS applications, and the internet service providers (ISP) connecting them.

Note

DEM requires an Advanced remote users FortiSASE license or a Comprehensive remote users FortiSASE license. See the SASE and Zero Trust Ordering Guide. It also requires installing the DEM agent on endpoints.

For new FortiSASE instances with an Advanced or Comprehensive license, the DEM agent is packaged along with the FortiClient installer and available to download as a single executable file from FortiSASE when users download FortiClient. See Managed endpoint client onboarding.

For existing FortiSASE instances with an Advanced or Comprehensive license, endpoint users are prompted to begin upgrading to a FortiClient version that supports the DEM agent and the DEM agent is installed automatically during this upgrade.

To uninstall the DEM agent, do the following:

  • On macOS, use the uninstaller tool to uninstall FortiClient and the DEM agent together.

  • On Windows, use the installer package to uninstall FortiClient and the DEM agent together. You cannot uninstall DEM agent using Add or Remove Program in Control Panel.
To navigate DEM:
  1. Go to Network > Managed endpoints to see the list of managed and unmanaged endpoints.
  2. Select an endpoint and click View Endpoint Details. A new slide in appears and the following endpoint details are visible:

    GUI option

    Description

    Details

    Shows general endpoint information such as the hostname, management connection to FortiSASE, and VPN status. See Managed Endpoints. DEM displays information on all detected network interfaces and their IP addresses, and a real-time network bandwidth graph that shows total bandwidth used by endpoint.

    Hardware

    Shows information regarding endpoint hardware such as vendor, model, and CPU. It displays a real-time graph that shows total hard disk, CPU, and memory usage on the endpoint.

    Digital Experience

  3. Shows DEM agent status: offline, online, or agent is not installed. To get end-to-end network performance visibility from the endpoint to a particular SaaS application, run a trace job for the selected endpoint. SeeTo run a trace job on an endpoint:.

    4. DEM displays a list of SaaS applications and health check metrics for first-mile connectivity between the geographical PoPs provisioned for your FortiSASE instance and SaaS applications, as the following diagram shows. See Digital Experience Monitoring.

Running a trace job on an endpoint

FortiSASE can run a trace job on the endpoint using DEM agent. This assists in troubleshooting various performance bottlenecks in the network by providing link metrics such as average RTT and packet loss on various hops of the network.

To run a trace job on an endpoint:
  1. Go to Network > Managed Endpoints.
  2. Select the desired endpoint and click View Endpoint Details. A slide in appears.
  3. In the Digital Experience column, the DEM agent status must be Online. From the SaaS application dropdown list, select an application to test the connection to from the selected endpoint.
  4. Under Monitor for, configure a suitable time to run the trace job for the specified duration.
  5. Click Start to schedule the job.
    Note

    If you interrupt the current running job by clicking Stop, FortiSASE deletes the historical traceroute data collected so far and you must restart the job.

    The first trace job output displays within five minutes after clicking Start, after which FortiSASE presents output every three minutes until the selected Monitor for duration expires. FortiSASE stores the results displayed for three days only for the latest trace job. To analyze the trace job, see Analyzing trace job result.

Note

To run the trace job, the following must be true:

  • DEM agent is installed on endpoint.
  • DEM agent status must be Online under Digital Experience tab under Network > Managed Endpoints> View Endpoint Details for selected endpoint.
  • Application Control security profile and internet access firewall policy must not block ping or ICMP traffic.

Analyzing trace job result

The trace job output gives information on average RTT (ms) and packet loss (%) on various hops of the network. To identify the hop accurately, understanding whether the selected endpoint is connected to the FortiSASE VPN tunnel for secure internet access (SIA) or not is important.

When an endpoint is connected to the FortiSASE VPN tunnel, it accesses SaaS applications using SIA. Thus, the first and second hops of the trace are the entry and exit interface IP address of the FortiSASE PoP that the endpoint is connected to. The remaining hops are the ISPs in between until the last hop, which is the selected SaaS application.

When an endpoint is not connected to the FortiSASE tunnel, it accesses SaaS applications directly using its local internet breakout bypassing the FortiSASE PoP. Thus, the performance metrics (average RTT and packet loss) displayed do not include the FortiSASE PoP.

Note

Some ISPs do not respond to the trace packets that the DEM agent sends and requests time out. For such hops, their entry is marked as *** in the trace result output.

Each FortiSASE administrator can only run one trace job on unique endpoints simultaneously.
Previous
Next