Description |
This article describes that Health checks are used to make decisions in SD-WAN rules. Irrespective of the commonly used health check there are other types of Health checks in FortiGate. |
|||||||||||||||
Scope | FortiGate. | |||||||||||||||
Solution |
There are three types of health checks used.
In this type, active probes are used to check whether the link is up and running. In this method a server is setup in the other end and different types of Probes are used to contact the remote end server. This is the most common monitoring method.
Below are the different types of probes used in this setup:
In passive monitoring there will be no probes used to monitor the link, instead it uses network traffic to decide the performance of the link. TCP traffic is used to measure packet loss, jitter, and latency. RTT of TCP is used for latency calculation and TCP header information is used for jitter and packet loss calculation. Passive monitoring is considered more accurate than active monitoring as it uses real traffic. The other disadvantage is it does not detect dead members. Also, hardware acceleration is disabled on traffic subjected to passive monitoring:
Config system sdwan config health-check edit " passive" set detect-mode passive set member 3 4
Config firewall policy edit 10 set passive-wan-health-measurement enable
Per-application passive monitoring can be done as below, Upon configuring the above, it is possible to use below for per-application passive monitoring:
Config system sdwan config service edit 1 set name " microsoft" set src 'all" set internet-service enable set internet-service app-ctrl xxxxx yyyyy <----- Application signature ID can be get from Security Profiles -> Application signatures. set health-check passive <----- Name of the above health check. set priority member 1 4 set passive-measurement enable end
This uses both active and passive monitoring. It will use passive monitoring and if there is no traffic on the link for 3 minutes ( this value is hard coded). It will switch to active monitoring. If TCP traffic is monitored on the link it will switch back to passive monitoring. This will also result in disabling auto-asic-offload on the respective Firewall policies. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.