FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 206727


This article describes a FortiOS feature called tie-break which relates to SD-WAN traffic steering. 

SD-WAN SLA Tie break is required because most the time SD-WAN members are within SLA and FortiOS needs a method to choose between known good members.



This article will provide details on the SLA Tie Break SD-WAN features.




The FortiOS SDWAN SLA Tie Break feature is found in the CLI only via SDWAN zone and Service


Rule. See below:



FGT# config system sdwan

FGT# config zone
FGT# edit "virtual-wan-link"
FGT# set service-sla-tie-break cfg-order   <----- Default config.
FGT# next

FGT# config service

FGT# set tie-break ?

cfg-order <----- Members that meet the SLA are selected in the order they are configured.
fib-best-match <----- Members that meet the SLA are selected that match the longest prefix in the routing table.



As it is visible from the above output, the tie-break default setting uses the priority member configuration order as a tie break when all SDWAN members are within SLA.

The order is found in the SD-WAN Service Rule within CLI via:



# config servic
    edit 1
        set name "SDWAN"
        set mode sla
        set dst "all"
        set src "all"
# config sl
    edit "Ping_1_Loopback"
        set id 1
        edit "Ping_2_Loopback"
            set id 1
            edit "Ping_3_Loopback"
                set id 1
                edit "Ping_4_Loopback"
                    set id 1
                 set priority-members 1 2 3 4 8 5 7 6 



From the above CLI output, it it possible to see the setting priority-members referencing SDWAN members 1 2 3 4 8 5 7 6

A disadvantage of using the default setting cfg-order as SLA tie break is that it might not be desirable to steer SD-WAN traffic to member # 1.

Most FortiOS SD-WAN deployments relay on BGP architecture to find best paths through the overlay network and cfg-order setting does not capitalize on this logic.

Furthermore, to steer specific SD-WAN traffic to specific destinations then multiple Service Rules would need to be created to accommodate this requirement, which could quickly become complex.


To address these short comings of cfg-order, a new feature was created to augment SLA tie break functionality, and this feature is called fib-best-match.

When using fib-best-match logic for SLA tie break, FortiOS SD-WAN logic will narrow down possible SD-WAN member egress interfaces configured in Service Rule to the best FIB (routing-table) match, which is essentially native routing logic to make SD-WAN steering choice for egress interface.


For example, If BGP states that SD-WAN members #7 and #6 have BGP ECMP best path match for destination IP of interest - then only these two members will be considered to steer traffic.



B [200/0] via, _MPLS_OL, 11:14:28
                       [200/0] via, _INet_OL, 11:14:28



The question might have been then, if ECMP is used, then how does SD-WAN choose a single SD-WAN member interface if it is equal? The answer is simple, once FIB identifies best egress interfaces, and in our example #7 and #6, the first configured interface within priority-members setting within Service Rule will be chosen, meaning if ECMP between 7 and 6 is always occurring, then member #7 will always be preferred before #6 on the simple fact it is configured in sequence before #6.

Unless SLA fails on #7 in which then member #6 would be used.


Furthermore, here are a few Details on fib-best-match logic.

Within a single Service Rule, only priority-members referenced, and are within SLA, are considered for traffic steering.

Next, out of these SD-WAN members, a FIB (native routing table) lookup is performed and if best path egress interface is SD-WAN member listed within said Service rule then forward traffic to that member.

Next, if more than one member is selected because of ECMP, then FortiOS used first configured member based on configuration sequence within 'priority-members 1 2 3 4 8 5 7 6'

Note, that the configuration sequence within priority-member setting reads from LEFT to RIGHT, meaning #1 is first and #6 is last in this example.




1) When using SLA Tie Break method for member traffic steering, remember that the logic is a per Service Rule basis. 

Meaning, only members referenced within priority-member config could be used.

When using fib-best-match as Tie Break it is best to reference all SD-WAN members so the native routing table can effectivity be used.


2) Note that Policy Route Table works differently than native routing table (FIB) in the sense that native route table performs best match logic inherently using attributes like Distance, Metric and longest match logic.

The Policy Route Table where Service Rule logic is stored reads from the top down and first Service Rule match will be used which might not be best path determined by FIB.

This could be caused by summary or default routes in place directed over SD-WAN members.


3) fib-best-match logic breaks candidate SDWAN member interfaces into two groups.

Group-1 will contain best path(s) found via FIB look up and Group-2 will contain SD-WAN member interface that did not match FIB lookup. Group-1 will be evaluated first in order and then Group-2.  

SD-WAN member selection per group will be based on priority-member configuration sequence.


4) fib-best-match with ECMP for longest match is only support on 7.0.1+ GA, as of this writing.

Also 7.0.1+ GA, when fib-best-match is used, SLA quality comparison member selection is overridden with longest FIB prefix match.