Technical Tip: SD-WAN enhanced health check options

Description

This article describes advanced options for SD-WAN health checks, which include several protocols and protocol specific options.

Scope

Solution

The health check protocol may include the following options.

1. To use UDP-echo and TCP-echo as health checks:
   

config system sdwan
    set status enable

config health-check
    edit "h4_udp1"
        set protocol udp-echo
        set port 7
        set server <server>
    next
        edit "h4_tcp1"
            set protocol tcp-echo
            set port 7
            set server <server>
        next
            edit "h6_udp1"
                set addr-mode ipv6
                set server "2032::12"
                set protocol udp-echo
                set port 7
            next
        end
    end

2. To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections:

config system sdwan
    set status enable

config health-check
    edit "h4_tcpconnect1"
        set protocol tcp-connect
        set port 443
        set quality-measured-method {half-open | half-close}
        set server <server>
    next
        edit "h6_tcpconnect1"
            set addr-mode ipv6
            set server "2032::13"
            set protocol tcp-connect
            set port 444
            set quality-measured-method {half-open | half-close}
        next
    end
end

TCP connect works by starting TCP connections to the configured servers using a specific port that can be manually configured. TCP connect provides the ability to test connectivity to any internal TCP application running on the target servers by monitoring packets exchanged for TCP connection setup and tear-down. Choose the quality-measured-method to half-close or half-open based on environment needs.

• half-open: Measure the round trip between syn and ack.
• half-close: Measure the round trip between fin and ack.

3. To use active or passive mode FTP to verify connections:
   

config system sdwan
    set status enable

config health-check
    edit "h4_ftp1"
        set protocol ftp
        set port 21
        set user "root"
        set password ***********
        set ftp-mode {passive | port}
        set ftp-file "1.txt"
        set server <server>
    next
        edit "h6_ftp1"
            set addr-mode ipv6
            set server "2032::11"
            set protocol ftp
            set port 21
            set user "root"
            set password ***********
            set ftp-mode {passive | port}
            set ftp-file "2.txt"
        next
    end
end

4. To use DNS as a health check and define the IP address that the response has to match:
   

config system sdwan
    set status enable

config health-check
    edit "h4_dns1"
        set protocol dns
        set dns-request-domain "ip41.forti2.com"
        set dns-match-ip 1.1.1.1
    next
        edit "h6_dns1"
            set addr-mode ipv6
            set server "2000::15.1.1.4"
            set protocol dns
            set port 53
            set dns-request-domain "ip61.xxx.com"
        next
    end
end

For more info on CLI commands for SD-WAN, refer to the CLI reference.