Skip to main content
scampos
Staff
scampos
Staff
February 20, 2026

Technical Tip: How to configure an SD-WAN health-check for a WAN member

  • February 20, 2026
  • 0 replies
  • 1200 views
Description This article outlines the steps to configure an active health check for a WAN member within an SD-WAN zone, utilizing ping to public DNS servers for quality of service (QoS) and monitoring purposes.
Scope

FortiOS 7.4+.
Solution

With an already-created SD-WAN zone with WAN (underlay) members, it is possible to monitor link health to provide QoS or identify outage events.

 

For the SD-WAN basic configuration of an underlay zone, refer to SD-WAN members and zones | FortiGate / FortiOS 7.6.6 | Fortinet Document Library.

 

  1. Once a zone is created with at least one WAN member on it, navigate to Network -> SD-WAN -> SD-WAN Zones:


1.png

 

  1. In the SD-WAN configuration, select the 'Performance SLAs' tab and select 'Create New'.


2.png

 

  1. Define a name for the health check. In probe mode, select 'Active'; for the protocol, use 'Ping', and define the test servers. In this example, the servers defined are 8.8.8.8 (Google DNS) and 1.1.1.1 (CloudFlare DNS).


3.png

 

  1. For participants, use 'Specify' and select the WAN members to monitor:


4.png

 

  1. Enable 'SLA Target' and specify the QoS thresholds appropriate for the network's requirements:


5.png

  1. Leave 'Update static route' enabled and select OK. To learn more about this feature's behavior, see Routing Change and Session Fail-over with SD-WAN - Fortinet Community.

 

6.png

  1. After this, it is possible to see the health-check working and monitoring the status of the selected members:


7.png

  1. The status of the health-check can also be seen on CLI:

     

     

diagnose sys sdwan health-check status


Health Check(Monitor):
Seq(3 port1): state(alive), packet-loss(0.000%) latency(9.938), jitter(0.057), mos(4.399), bandwidth-up(0), bandwidth-dw(0), bandwidth-bi(0) sla_map=0x1
Seq(2 port3): state(alive), packet-loss(0.000%) latency(9.885), jitter(0.094), mos(4.399), bandwidth-up(0), bandwidth-dw(0), bandwidth-bi(0) sla_map=0x1

 

When any of the members defined in the specific SD-WAN health check fails to meet the established thresholds, it will be marked as 'inactive' in the routing table.

 

SLA_Down.png

 

Inactive.png

 

It will be reactivated once it meets the Service Level Agreement (SLA) requirements again. To verify this, navigate to Log & Report -> System Events -> SD-WAN Events.

 

9.png

 

There are additional types and enhanced features for SD-WAN health-check configurations. For more information, see the following articles:
Terms & ConditionsAccessibility statement