Performance SLA strat with dual internet

Question

I'm struggling a bit with my performance SLAs and SDWAN Rules. My typical branch office will have 2 internet connections, one is usually better than the other (i.e., Verizon FiOS plus Comcast or true DIA Fiber plus a business broadband).

What's the best-practice strat for SDWAN rule? I've been mostly relying on Best Quality rule with a performance SLA that pings Google DNS (8.8.8.8), but I'm seeing more flapping than I would expect.

I think my first question is: Do the Performance SLA settings under Link Status (Check Interval and Failure before inactive) affect the SLAs themselves? If I have my latency SLA set at 250ms, is the interface in violation of the SLA the first time if sees latency greater than 250ms or if my check interval is 1000ms and failure before inactive is 5, does it take 5 seconds of 250ms latency to violate the SLA?

Any best-practice recommendations on these rules and Perf SLAs? I'm starting to think that Google DNS might not be the best candidate host for my probe. Do you prefer Best Quality, Lowest Cost, or Manual?

sjoshi · Answer

Hi ​@frizoeing,In Fortinet SD-WAN, Link Status parameters (Check Interval and Failures Before Inactive) and Performance SLA thresholds serve different but complementary purposes:Check Interval controls how often FortiGate sends a probe (e.g., every 1–5 seconds).Failures Before Inactive defines how many consecutive failed probes must occur before FortiGate declares the link “down.”These parameters affect link availability—not SLA violations. The Performance SLA metrics (latency, jitter, loss) are monitored separately and average results across several probes.A link does not become “out-of-SLA” on the first measurement above the threshold (e.g., one latency spike above 250 ms). FortiGate determines SLA violations based on the rolling average over multiple probes. This prevents transient issues from triggering route changesBest-Practice Performance SLA TuningCheck Interval: 1 – 3 seconds is typical for ICMP or DNS-based probes.Failures Before Inactive: 5 – 7 (or even up to 10 for unstable circuits) to avoid false failovers.Restore Link After: 7 – 10 successful probes is recommended to confirm link stability before recovery.This means that if your Check Interval is 1000 ms and Failures Before Inactive is 5, FortiGate waits around 5 seconds of consecutive failed health‑checks before marking the link inactive. SLA violation logic, however, averages multiple probe results and only triggers when the averages exceed latency/jitter/loss thresholds for several consecutive samples.For dual‑WAN setups (e.g., DIA + broadband):Best Quality Strategy – Ideal for latency‑sensitive traffic (VoIP, Teams, Zoom). Assign DIA as preferred and broadband as secondary. Configure realistic SLA thresholds and a small link-cost-threshold to avoid unnecessary flipping.Lowest Cost Strategy – Good for non‑critical or VPN traffic that can tolerate moderate delay but should use cheaper or secondary links when within SLA.Manual Strategy – For non‑critical browsing or guest internet traffic; static routing, minimal SLA monitoring.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded