Performance SLAs Overview
Performance SLAs measure the health of links connected to SD-WAN member interfaces by sending probing signals through each link to a target server or by using session information captured by firewall policies. If a link fails all health checks, the routes associated with that link are removed from the SD-WAN load-balancing group, and traffic is routed through other available links. When the link passes the SLA again, the routes are reestablished. This mechanism prevents traffic from being sent through a failed link and ensures service continuity.

Performance SLA participants are the interfaces evaluated for a given health check. These interfaces must be SD-WAN member interfaces but do not need to belong to the same zone.
Six predefined performance SLA profiles are available on newly created VDOMs or factory-reset FortiGate devices: AWS, DNS, FortiGuard, Gmail, Google Search, and Office 365. These profiles provide Fortinet-recommended settings for common services. To complete the configuration, participants for the corresponding service must be added. Default settings can be modified to meet network requirements.

According to CSB-250930-1, released on October 2, 2025, Amazon Web Services (AWS) will block HTTP probes from FortiGate devices starting October 12, 2025, to protect its infrastructure.

Safe Change Management: Removing or Replacing the Health Check
To prevent service disruption, the Default_AWS health check must be removed or replaced. A safe change management approach minimizes the risk of inadvertently affecting live traffic.

Identify Affected Performance SLA Rules
First, must determine which SD-WAN Performance SLA rules are using the Default_AWS health check.

GUI: Navigate to Network -> SD-WAN and review the Performance SLA section. Check the list of configured Health Checks.

Define a replacement health-check strategy
Because Default_AWS must go, it should be replaced with one or more custom health checks (HTTP, HTTPS, TCP, or ICMP) that reliably represent link health to application/service endpoints (for example, reachability to an internal web server, DNS resolver, or other stable target).

The following links could be helpful:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-performance-SLA-health-check-with-H...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-a...
https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/867342/performance-sla-overv...

Plan a maintenance window
Changes to health checks may trigger link re-evaluation. Performing modifications during a planned maintenance window minimizes production impact.

Backup configuration
A complete configuration backup (global and per-VDOM, if applicable) must be created before making any modifications.
The backup enables rollback in case of unexpected behavior.

Monitoring
After removal or replacement, SD-WAN link status and routing behavior must be monitored closely.