Created on
03-28-2022
04:33 AM
Edited on
02-18-2025
07:04 AM
By
mahmed
Description
This article describes a FortiOS feature called tie-break which relates to SD-WAN traffic steering.
SD-WAN SLA Tie break is required because most the time SD-WAN members are within SLA and FortiOS needs a method to choose between known good members.
Scope
This article will provide details on the SLA Tie Break SD-WAN features.
Solution
The FortiOS SDWAN SLA Tie Break feature is found in the CLI only via SDWAN zone and Service
Rule. See below:
==============================================
FGT# config system sdwan
FGT# config zone
FGT# edit "virtual-wan-link"
FGT# set service-sla-tie-break cfg-order <----- Default config.
FGT# next
FGT# config service
FGT# set tie-break ?
cfg-order <----- Members that meet the SLA are selected in the order they are configured.
fib-best-match <----- Members that meet the SLA are selected that match the longest prefix in the routing table.
==============================================
As it is visible from the above output, the tie-break default setting uses the priority member configuration order as a tie-break when all SD-WAN members are within SLA.
The order is found in the SD-WAN Service Rule within CLI via:
==============================================
config servic
edit 1
set name "SDWAN"
set mode sla
set dst "all"
set src "all"
config sl
edit "Ping_1_Loopback"
set id 1
next
edit "Ping_2_Loopback"
set id 1
next
edit "Ping_3_Loopback"
set id 1
next
edit "Ping_4_Loopback"
set id 1
next
end
set priority-members 1 2 3 4 8 5 7 6
next
==============================================
From the above CLI output, it it possible to see the setting priority-members referencing SD-WAN members 1 2 3 4 8 5 7 6.
A disadvantage of using the default setting cfg-order as an SLA tiebreak is that it might not be desirable to steer SD-WAN traffic to member # 1.
Most FortiOS SD-WAN deployments rely on BGP architecture to find the best paths through the overlay network and cfg-order setting does not capitalize on this logic.
Furthermore, to steer specific SD-WAN traffic to specific destinations then multiple Service Rules would need to be created to accommodate this requirement, which could quickly become complex.
To address these shortcomings of cfg-order, a new feature was created to augment SLA tie-break functionality, and this feature is called fib-best-match.
When using fib-best-match logic for SLA tie break, FortiOS SD-WAN logic will narrow down possible SD-WAN member egress interfaces configured in Service Rule to the best FIB (routing-table) match, which is essentially native routing logic to make SD-WAN steering choice for egress interface.
For example, If BGP states that SD-WAN members #7 and #6 have BGP ECMP best path match for the destination IP of interest, then only these two members will be considered to steer traffic.
...
B 10.1.1.0/22 [200/0] via 172.19.14.1, _MPLS_OL, 11:14:28
[200/0] via 172.19.14.1, _INet_OL, 11:14:28
...
The question might have been then, if ECMP is used, then how does SD-WAN choose a single SD-WAN member interface if it is equal? The answer is simple, once FIB identifies the best egress interfaces, and in this example, #7 and #6, the first configured interface within the priority-members setting within Service Rule will be chosen, meaning if ECMP between 7 and 6 is always occurring, then member #7 will always be preferred before #6 on the simple fact it is configured in sequence before #6.
Unless SLA fails on #7 in which then member #6 would be used.
Furthermore, here are a few Details on fib-best-match logic.
Within a single Service Rule, only priority-members referenced, and are within SLA, are considered for traffic steering.
Next, out of these SD-WAN members, a FIB (native routing table) lookup is performed and if the best path egress interface is SD-WAN member listed within said Service rule then forward traffic to that member.
Next, if more than one member is selected because of ECMP, then FortiOS uses the first configured member based on the configuration sequence within 'priority-members 1 2 3 4 8 5 7 6'.
Note, that the configuration sequence within the priority-member setting reads from LEFT to RIGHT, meaning #1 is first and #6 is last in this example.
Considerations.
config system sdwan
config service
edit 2
set fib-best-match-force enable/disable
Previously, if the SD-WAN rule 1 used a shorter prefix match and was positioned above rule 2 and rule 2 has fib-best-match configured, rule 1 would be selected instead of rule 2.
With FortiOS v7.6.3 GA, enabling fib-best-match-force ensures that rule 1 is skipped, and rule 2 is used, allowing for more precise routing decisions based on the best prefix match.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.