There are three types of health checks used:

1. Active Monitoring: In this type, active probes are used to check whether the link is up and running. In this method a server is set up in the other end, and different types of Probes are used to contact the remote end server. This is the most common monitoring method.

Below are the different types of probes used in this setup:

2. Passive Monitoring: In passive monitoring, there will be no probes used to monitor the link, instead it uses network traffic to decide the performance of the link. TCP traffic is used to measure packet loss, jitter, and latency. RTT of TCP is used for latency calculation and TCP header information is used for jitter and packet loss calculation. Passive monitoring is considered more accurate than active monitoring as it uses real traffic. The other disadvantage is it does not detect dead members. Also, hardware acceleration is disabled on traffic subjected to passive monitoring:

config system sdwan

    config health-check

        edit " passive"

            set detect-mode passive

            set member 3 4

                config firewall policy

                    edit 10

                        set passive-wan-health-measurement enable

Per-application passive monitoring can be done as below, Upon configuring the above, it is possible to use below for per-application passive monitoring:

config system sdwan

    config service

        edit 1

            set name " microsoft"

            set src 'all"

            set internet-service enable

            set internet-service app-ctrl xxxxx yyyyy <----- Application signature ID can get from Security Profiles -> Application signatures.

            set health-check passive  <----- Name of the above health check.

            set priority member 1 4

            set passive-measurement enable

end

3. Prefer Passive monitoring: This uses both active and passive monitoring. It will use passive monitoring and if there is no traffic on the link for 3 minutes (this value is hard-coded). It will switch to active monitoring. If TCP traffic is monitored on the link it will switch back to passive monitoring. This will also result in disabling auto-asic-offload on the respective Firewall policies.

config system sdwan

    config health-check

        edit "prefer-passive"

            set server "10.10.10.1"

            set protocol ping

            set detect-mode prefer-passive

            set members 4

        next

    end

end

In the example above, passive monitoring is preferred. FortiGate starts pinging 10.10.10.1 only after no TCP traffic has been seen through member 4 for three minutes.
As with passive monitoring, it is necessary to enable 'passive-wan-health-measurement' on the firewall rules that accept traffic for the monitoring member.

Note:

From v7.6.4, this behaviour has been changed; SD-WAN passive health check does not need to be configured for Application Performance Monitoring to work. So this part of the configuration mentioned below is not required.

config system sdwan

    config health-check

        edit " passive"

            set detect-mode passive

            set member 3 4

         next

    end

end

In Active Monitoring mode, the FortiOS link monitor process (lnkmt) is responsible for monitoring the SD-WAN members' states and performance, whereas in Passive Monitoring mode, the link monitor passive process (lnkmt_passive) collects the data and generates the report, which will be used by the lnkmt process later, to calculate packet loss, latency and jitter.

These commands can be run to view the collected passive data:

diagnose sys link-monitor-passive admin list

diagnose sys link-monitor-passive admin list by-interface

diagnose sys link-monitor-passive admin list by-application [Name/ID]

diagnose sys link-monitor-passive admin app-id-map