| Configure the SD-WAN zone and assign members to the zone: Create SD-WAN zone: config sys sdwan config zone
edit "HUB2" <----- Created a SD-WAN zone HUB2.
next
end Assign members to the SDWAN zone: config members
edit 30
set interface "HUB2-VPN1-1" <----- Assign member HUB2-VPN1-1 to zone HUB2
set zone "HUB2"
set cost 120
set priority 10
next
edit 31
set interface "HUB2-VPN2-1" <----- Assign member HUB2-VPN2-1 to zone HUB2.
set zone "HUB2"
set cost 130
set priority 10
next
end end Configure health-check: config health-check
edit "HUB2_HC" <----- Create health-check HUB2_HC.
set server "10.127.23.252" "10.127.192.34" <----- Target servers.
set probe-timeout 1000
set update-cascade-interface disable
set update-static-route disable
set sla-fail-log-period 10
set sla-pass-log-period 10
set members 30 31 <----- 30 and 31 are member ids of HUB2-VPN1-1 and HUB2-VPN2-1 respectively.
config sla
edit 1
set latency-threshold 175
set jitter-threshold 35
set packetloss-threshold 2
next
end
next
end Scenario 1: SDWAN members are within the SLA threshold: FortiGate # diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(up, since Sat May 17 11:36:45 2025), bandwidth(up:1507bps, down:1533bps), session count(IPv4:3, IPv6:0), tx(11302622 bytes), rx(246600 bytes), latency(0.50), jitter(0.06), packet-loss(0.00). Fortigate # diag sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(up, since Sat May 17 11:36:53 2025), bandwidth(up:1519bps, down:1513bps), session count(IPv4:2, IPv6:0), tx(2290545 bytes), rx(220822 bytes), latency(0.43), jitter(0.03), packet-loss(0.00). In scenario 1, the members HUB2-VPN1-1 and HUB2-VPN2-1 are within the SLA threshold, and that is why the member state shows up. Scenario 2: SDWAN members are not within the SLA threshold: FortiGate # diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(up, since Sat May 17 11:36:45 2025), bandwidth(up:1684bps, down:1423bps), session count(IPv4:3, IPv6:0), tx(11356578 bytes), rx(299752 bytes), latency(0.49), jitter(0.06), packet-loss(7.00). FortiGate # diagnose sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(up, since Sat May 17 11:36:53 2025), bandwidth(up:1716bps, down:1056bps), session count(IPv4:2, IPv6:0), tx(2343251 bytes), rx(269216 bytes), latency(0.50), jitter(0.19), packet-loss(24.00). In scenario 2, there is a packet loss of 7% and 24% on members HUB2-VPN1-1 and HUB2-VPN2-1, respectively, but the member's state still shows up. The packet loss threshold is 2% for health-check HUB2_HC. The SD-WAN members fail to meet the SLA target, but they still show as up Scenario 3: SDWAN members fail to meet the Link status threshold: Check Interval: 20 ms Failures before inactive: 1 Restore link after: 1 FortiGate# diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(down, since Sat May 17 12:01:51 2025), bandwidth(up:0bps, down:0bps), session count(IPv4:4, IPv6:0), tx(12176787 bytes), rx(354423 bytes FortiGate# diagnose sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(down, since Sat May 17 12:01:51 2025), bandwidth(up:0bps, down:0bps), session count(IPv4:1, IPv6:0), tx(3108670 bytes), rx(316357 bytes). In scenario 3, the members HUB2-VPN1-1 and HUB2-VPN2-1 show as down because they failed to meet the Link status threshold, but the system interface shows up. FortiGate# show full sys interface HUB2-VPN2-1 | grep status
set status up <----- The system interface shows up. FortiGate # diag sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(down, since Sat May 17 12:56:32 2025), bandwidth(up:32242bps, down:0bps), session count(IPv4:6316, IPv6:0), tx(5099173 bytes), rx(681952 bytes).<----- The member state, HUB2-VPN2-1, show as down Checking the SD-WAN member state when troubleshooting issues related to BGP establishment or intermittent BGP flaps is beneficial. For example, from scenario 3, if a BGP neighbor is set up with the interface as HUB2-VPN2-1, the neighbor relationship will fail because the interface state is down, even though the system interface shows as up. | 
