Description
This article describes how to show some diagnostic commands that help to check the SD-WAN routes and status of the links.
Scope
Any supported version of FortiGate.
Solution
Configure the two WAN interfaces as members of an SD-WAN configuration.
Configure performance SLA that is used to check which is the best link to use.
Create a static default route pointed to the SD-WAN.
SD-WAN rule: ensure both WAN INTERFACES and the performance SLA PING are also configured in this section so that the performance SLA will dictate which ISP is the best link for each kind of traffic.
Diagnostic commands:
# diag sys virtual-wan-link member
Member(1): interface: port2, gateway: 10.10.10.100, priority: 0, weight: 0
Member(2): interface: port3, gateway: 20.20.20.100, priority: 0, weight: 0
Member(1): interface: port2, gateway: 10.10.10.100, priority: 0, weight: 0
Member(2): interface: port3, gateway: 20.20.20.100, priority: 0, weight: 0
Run the following command to see all members on the SD-WAN link, as well as the priority and weight values for each link:
# diag firewall proute list
list route policy info(vf=root):
id=2130837505 vwl_service=1(SDWAN-RULE-TEST) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=5 oif=4
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
list route policy info(vf=root):
id=2130837505 vwl_service=1(SDWAN-RULE-TEST) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=5 oif=4
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
Run the following command to show which interface is the best choice for the performance SLA (in the example output below, '2' is the WAN2 interface while '1' is the WAN interface):
# diag sys virtual-wan-link health-check PING
Health Check(PING):
Seq(1): state(alive), packet-loss(0.000%) latency(60.223), jitter(9.280) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(60.155), jitter(9.318) sla_map=0x0
Health Check(PING):
Seq(1): state(alive), packet-loss(0.000%) latency(60.223), jitter(9.280) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(60.155), jitter(9.318) sla_map=0x0
Run the following command to show the performance SLA values for each link. Since the latency of WAN1 is higher than WAN2's in the example below, WAN2 is the priority route for the SD-WAN rule test under the diag firewall proute list.
# diag sys virtual-wan-link service 1
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-l
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, packet loss: 0.000%, selected
2: Seq_num(1), alive, packet loss: 0.000%, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
0.0.0.0-255.255.255.255
Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-l
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, packet loss: 0.000%, selected
2: Seq_num(1), alive, packet loss: 0.000%, selected
Src address:
0.0.0.0-255.255.255.255
Dst address:
0.0.0.0-255.255.255.255
In the above, the service value '1' is the SD-WAN rule id of 'SD WAN RULE TEST'.
This command shows the preferred route taken by the SD-WAN rule.
The highest quality criteria chosen is 'PACKET LOSS'. Since no packet loss is detected on either WAN interfaces, the FortiGate SD-WAN rule selects both FortiGates as quality interfaces.
Run the following command to display a 10 minute usage history for each SD-WAN member:
# diag sys virtual-wan-link intf-sla-log wan1
Note that in FortiOS 6.4 and above, the 'diagnose sys sdwan' command should be used instead of 'diagnose sys virtual-wan-link'.
# diagnose sys sdwan
member
service
route-tag-list
route-tag-flush
health-check
neighbor
log
sla-log
intf-sla-log
internet-service-app-ctrl-list
internet-service-app-ctrl-flush
internet-service-app-ctrl-category-list
reset
zone
route
route6
