Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff

Created on ‎10-24-2019 05:36 AM Edited on ‎02-05-2025 05:42 AM By Moderator

Article Id 192268

Technical Tip: Configuring Performance SLA with TWAMP probes

Description


This article explains the configuration procedure that shows how to Configure a Performance SLA with TWAMP probes.

 

Scope

 

FortiGate.

Solution


The Two-Way Active Measurement Protocol defines a standard for measuring round-trip network performance between any two devices that support the TWAMP protocols.
The TWAMP-Control protocol is used to set up performance measurement sessions only via CLI. 

 

There are two sessions used in TWAMP: control and test. The former is used to authenticate the endpoints, and the latter to exchange packets used to measure performance. 

The TWAMP architecture is composed of the following four logical entities that are responsible for starting a monitoring session and exchanging packets:

  • The control-client sets up, starts, and stops TWAMP-Test sessions.
  • The session-sender instantiates TWAMP-Test packets that are sent to the session-reflector.
  • The session-reflector reflects a measurement packet upon receiving a TWAMP-Test packet. The session reflector does not collect packet statistics in TWAMP.
  • The TWAMP server is an end system that manages one or more TWAMP sessions and is also capable of configuring per-session ports in the end points. The server listens on the TCP port. The session-reflector and server make up the TWAMP responder in an IP SLAs operation.

 

Note that if authentication is disabled, which is disabled by default, FortiGate generates the test session only. SD-WAN uses port 862 as the default port for both control and test sessions, but it is possible to configure a different port.


Configurations over Firewall.

FGT-1 as TWAMP Client:

 

config system virtual-wan-link
    config health-check
        edit SLA_TWAMP
            set server 1.1.1.1
            set protocol twamp
            set port 8008
            set security-mode authentication
            set password xxx
            set interval 500
            set packet-size 64
            set members 1 2 3                <- *seq-num    Member sequence number.
        end

 

FGT-DC as TWAMP Server:

 

config system probe-response
    set mode twamp
    set port 8008
    set security-mode authentication
    set password XXX
end
config system interface
    edit port5
        set ip 1.1.1.1 255.255.255.0
        set allowaccess (...) probe-response (...)
    next
end

 

The append command may also be useful, as it adds one or more options to an existing list.

 

config system interface
    edit port5
        set ip 1.1.1.1 255.255.255.0
        append allowaccess probe-response
    next
end

 

Both units should be in the same time zone:

 

config system global
    set timezone <time zone value should be the same on both units>
end

 

 

Results:

 

diag sys virtual-wan-link health-check <performance-sla-name>
Health Check(SLA_TWAMP_FGTDC):
Seq(4): state(alive), packet-loss(0.000%) latency(87.813), jitter(19.177) sla_map=0x0
Seq(5): state(alive), packet-loss(0.000%) latency(109.494), jitter(11.875) sla_map=0x0
Seq(6): state(alive), packet-loss(0.000%) latency(90.026), jitter(16.318) sla_map=0x0

 

Note: A capture can be taken to view the traffic flow:

 

diag sniff packet any 'port 8008' 4 0 l

 

10973
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.