FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Daniel_Howard
Article Id 206727

Description


This article describes a FortiOS feature called tie-break which relates to SD-WAN traffic steering. 

SD-WAN SLA Tie break is required because most the time SD-WAN members are within SLA and FortiOS needs a method to choose between known good members.

 

Scope


This article will provide details on the SLA Tie Break SD-WAN features.

 

Solution

 

The FortiOS SDWAN SLA Tie Break feature is found in the CLI only via SDWAN zone and Service

 

Rule. See below:

 

==============================================

FGT# config system sdwan

FGT# config zone
FGT# edit "virtual-wan-link"
FGT# set service-sla-tie-break cfg-order   <----- Default config.
FGT# next

FGT# config service

FGT# set tie-break ?


cfg-order <----- Members that meet the SLA are selected in the order they are configured.
fib-best-match <----- Members that meet the SLA are selected that match the longest prefix in the routing table.

==============================================

 

As it is visible from the above output, the tie-break default setting uses the priority member configuration order as a tie-break when all SD-WAN members are within SLA.

The order is found in the SD-WAN Service Rule within CLI via:

 

==============================================

config servic
    edit 1
        set name "SDWAN"
        set mode sla
        set dst "all"
        set src "all"
            config sl
                edit "Ping_1_Loopback"
                    set id 1
                next
                edit "Ping_2_Loopback"
                    set id 1
                next
                edit "Ping_3_Loopback"
                    set id 1
                next
                edit "Ping_4_Loopback"
                    set id 1
                next
            end
        set priority-members 1 2 3 4 8 5 7 6 
    next

==============================================

 

From the above CLI output, it it possible to see the setting priority-members referencing SD-WAN members 1 2 3 4 8 5 7 6

A disadvantage of using the default setting cfg-order as an SLA tiebreak is that it might not be desirable to steer SD-WAN traffic to member # 1.

 

Most FortiOS SD-WAN deployments rely on BGP architecture to find the best paths through the overlay network and cfg-order setting does not capitalize on this logic.

 

Furthermore, to steer specific SD-WAN traffic to specific destinations then multiple Service Rules would need to be created to accommodate this requirement, which could quickly become complex.

 

To address these shortcomings of cfg-order, a new feature was created to augment SLA tie-break functionality, and this feature is called fib-best-match.

 

When using fib-best-match logic for SLA tie break, FortiOS SD-WAN logic will narrow down possible SD-WAN member egress interfaces configured in Service Rule to the best FIB (routing-table) match, which is essentially native routing logic to make SD-WAN steering choice for egress interface.

 

For example, If BGP states that SD-WAN members #7 and #6 have BGP ECMP best path match for the destination IP of interest, then only these two members will be considered to steer traffic.

 

...

B 10.1.1.0/22 [200/0] via 172.19.14.1, _MPLS_OL, 11:14:28
                       [200/0] via 172.19.14.1, _INet_OL, 11:14:28

...

 

The question might have been then, if ECMP is used, then how does SD-WAN choose a single SD-WAN member interface if it is equal? The answer is simple, once FIB identifies the best egress interfaces, and in this example, #7 and #6, the first configured interface within the priority-members setting within Service Rule will be chosen, meaning if ECMP between 7 and 6 is always occurring, then member #7 will always be preferred before #6 on the simple fact it is configured in sequence before #6.

Unless SLA fails on #7 in which then member #6 would be used.

 

Furthermore, here are a few Details on fib-best-match logic.

Within a single Service Rule, only priority-members referenced, and are within SLA, are considered for traffic steering.

Next, out of these SD-WAN members, a FIB (native routing table) lookup is performed and if the best path egress interface is SD-WAN member listed within said Service rule then forward traffic to that member.

 

Next, if more than one member is selected because of ECMP, then FortiOS uses the first configured member based on the configuration sequence within 'priority-members 1 2 3 4 8 5 7 6'

Note, that the configuration sequence within the priority-member setting reads from LEFT to RIGHT, meaning #1 is first and #6 is last in this example.

 

Considerations.

 

  1. When using the SLA Tie-Break method for member traffic steering, remember that the logic is on a Service Rule basis. 
    Meaning, only members referenced within the priority-member config could be used.
    When using fib-best-match as a Tie-Break it is best to reference all SD-WAN members so the native routing table can effectivity be used.

  2. Note that the Policy Route Table works differently than the native routing table (FIB) in the sense that the native route table performs best match logic inherently using attributes like Distance, Metric, and longest match logic.
    The Policy Route Table where Service Rule logic is stored reads from the top down and the first Service Rule match will be used which might not be the best path determined by FIB.
    This could be caused by summary or default routes in place directed over SD-WAN members.

  3. fib-best-match logic breaks candidate SD-WAN member interfaces into two groups.
    Group-1 will contain the best path(s) found via the FIB look and Group-2 will contain the SD-WAN member interface that did not match the FIB lookup. Group-1 will be evaluated first in order and then Group-2. 
    SD-WAN member selection per group will be based on the priority-member configuration sequence.

  4. fib-best-match with ECMP for longest match is only supported on v7.0.1+ GA, as of this writing.
    Also, v7.0.1+ GA, when fib-best-match is used, SLA quality comparison member selection is overridden with the longest FIB prefix match.

  5. Starting from FortiOS v7.6.3 GA, the fib-best-match-force command can be enabled at the SD-WAN rule level to enforce the FIB best match between SD-WAN rules.

 

config system sdwan

    config service

        edit 2

            set fib-best-match-force enable/disable

 

Previously, if the SD-WAN rule 1 used a shorter prefix match and was positioned above rule 2 and rule 2 has fib-best-match configured, rule 1 would be selected instead of rule 2.

 

With FortiOS v7.6.3 GA, enabling fib-best-match-force ensures that rule 1 is skipped, and rule 2 is used, allowing for more precise routing decisions based on the best prefix match.