FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes a FortiOS feature called tie-break which relates to SDWAN traffic steering strategy.  SDWAN SLA Tie break is required because most of the time SDWAN members are within SLA with little quality variance between them, and FortiOS needs a method to choose between known good SDWAN interface members.






This KB will provide details on the SLA Tie Break SDWAN features.


The FortiOS SDWAN SLA Tie Break feature is found in the CLI only via the SDWAN zone and Service Rule. See below:



FGT# config system sdwan

FGT# config zone
FGT# edit "virtual-wan-link"

FGT# set service-sla-tie-break cfg-order   <--- default config

FGT# next

FGT# config service

FGT# set tie-break?

zone Use the setting that is configured for the members' zone. <--- default config
cfg-order Members that meet the SLA are selected in the order they are configured.
fib-best-match Members that meet the SLA have selected that match the longest prefix in the routing table.



From the above output the tie-break default setting uses the priority member configuration order (cfg-order) as a tie break when all SDWAN members are within SLA and they are within the define quality variance threshold of each other (default 10%). The  configuration order is found in the SDWAN Service Rule within CLI via:



   # config service
        # edit 1
            # set name "SDWAN"
            # set mode sla
            # set dst "all"
            # set src "all"
            # config sla
                # edit "Ping_1_Loopback"
                    # set id 1
                # next
                # edit "Ping_2_Loopback"
                    # set id 1
                # next
                # edit "Ping_3_Loopback"
                    # set id 1
                # next
                # edit "Ping_4_Loopback"
                    # set id 1
                # next
            # end
            # set priority-members 1 2 3 4 8 5 7 6 
        # next



From the above CLI output, it can be seen the setting priority-members referencing SDWAN members 1 2 3 4 8 5 7 6. A disadvantage of using the default setting cfg-order as SLA tie break is because it might not be desirable to steer SDWAN traffic to member # 1. Most FortiOS SDWAN deployments relay on BGP architecture to find best paths through the SDWAN overlay network and cfg-order setting does not capitalize on this logic which could be critical if using many IPsec Hubs offering redundant BGP paths. Furthermore, to steer specific SDWAN traffic to specific SDWAN members, then multiple Service Rules would need to be created to accommodate this requirement, which could quickly become complex.


To address these shortcomings of cfg-order, a new feature was created to augment SLA tie break functionality, and this feature is called fib-best-match. When using fib-best-match logic for SLA tie break, FortiOS SDWAN logic will narrow down possible SDWAN member egress interfaces configured in Service Rule to the best FIB (routing-table) match, which is essentially native routing logic to make SDWAN steering choice for egress interface.


For example, If BGP states that SDWAN members #7 and #6 have BGP ECMP best path match for destination IP of interest - then only these two members will be considered to steer traffic.



B [200/0] via, _MPLS_OL, 11:14:28
                       [200/0] via, _INet_OL, 11:14:28



The question might have been then if ECMP is used, then how does SDWAN choose a single SDWAN member interface if they are equal? The answer is simple, once FIB identifies the best egress interfaces, and in our example #7 and #6, the first configured interface within priority-members setting within Service Rule will be chosen, meaning if ECMP between 7 and 6 is always occurring, then member #7 will always be preferred before #6 on the simple fact it is configured in sequence before #6. Unless SLA fails on #7 in which then member #6 would be used.


Furthermore, here are a few Details on fib-best-match logic. Within a single Service Rule, only priority-members referenced, and are within SLA, are considered for traffic steering. Next, out of these SDWAN members, a FIB (native routing table) lookup is performed and if the best path egress interface is SDWAN member listed within said Service rule then forward traffic to that member. Next, if more than one member is selected because of ECMP, then FortiOS used the first configured member based on configuration sequence within "priority-members 1 2 3 4 8 5 7 6".  Note, that the configuration sequence within the priority-member setting reads from LEFT to RIGHT, meaning #1 is first and #6 is last in this example.




1) When using the SLA Tie Break method for member traffic steering, remember that the logic is a per Service Rule basis.  Meaning, only members referenced within priority-member config could be used. When using fib-best-match as Tie Break it is best to reference all SDWAN members so the native routing table can effectively be used.


2) Note that Policy Route Table works differently than native routing table (FIB) in the sense that native route table performs best match logic inherently using attributes like Distance, Metric and longest match logic. The Policy Route Table where Service Rule logic is stored reads from the top-down and the first Service Rule match will be used which might not be the best path determined by FIB. This could be caused by summary or default routes in place directed over SDWAN members.


3) fib-best-match logic breaks candidate SDWAN member interfaces into two groups. Group-1 will contain the best path(s) found via FIB lookup and Group-2 will contain the SDWAN member interface that did not match the FIB lookup. Group-1 will be evaluated first in order and then Group-2.  SDWAN member selection per group will be based on the priority-member configuration sequence.


4) fib-best-match with ECMP for the longest match is only supported on 7.0.1+ GA, as of this writing. Also, 7.0.1+ GA, when fib-best-match is used, SLA quality comparison member selection is overridden with the longest FIB prefix match.


5) Only cfg-order Tie Break logic uses the quality comparison between SDWAN members. Meaning, if there is a variance of more than 10% (by default) between SD-WAN member interfaces, then traffic is steered to the next member with better quality. If the variance is under 10%, then traffic will be steered using a member configuration order.