Consider the following scenario:

A FortiGate has 2 (two) SD WAN members, 'my-wan' and 'npu0_vlink0'.

(root) # diagnose sys sdwan member

Member(1): interface: my-wan, gateway: 194.82.x.x, priority: 0, weight: 0

Member(2): interface: npu0_vlink0, gateway: 89.197.x.x, priority: 0, weight: 0

The health-check / performance SLA is not referenced anywhere under the SD WAN service:

(SDWAN) # show service

    # config service

        edit 1

            set name "PREFERE-VIRTUAL1"

            set dst "all"

            set src "all"

            set priority-members 1

        next

        edit 2

            set name "SD-WAN"

            set dst "all"

            set src "all"

            set priority-members 1 2

        next

end  

The main uplink interface is UP:

The expectation is to route the traffic via 'my-wan', but the reality is that FortiGate chooses member (2) – npu0_vlink0 to route the traffic:

(root) # diagnose ip proute match 8.8.8.8 10.20.10.58 port9 6 443

dst=8.8.8.8 src=10.20.10.58 smac=00:00:00:00:00:00 iif=13 protocol=6 dport=443

id=7f000002 type=SDWAN

seq-num=2

Upon the SD WAN performance SLA, it becomes apparent that 'my-wan' is considered 'down':

(root) # diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x200

  Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)

  Service disabled caused by no outgoing path. -->fortigate has disabled the service

  Members(1):

    1: Seq_num(1 my-wan), dead

  Src address(1):

        0.0.0.0-255.255.255.255

  Dst address(1):

        0.0.0.0-255.255.255.255

Remove 'my-wan' from SD WAN performance SLA:

Now, FortiGate will choose 'my-wan' as expected:

(root) # diagnose ip proute match 8.8.8.8 10.20.10.58 port9 6 443

dst=8.8.8.8 src=10.20.10.58 smac=00:00:00:00:00:00 iif=13 protocol=6 dport=443

id=7f000001 type=SDWAN

seq-num=1

(root) # diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x200

  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)

  Members(1):

    1: Seq_num(1 my-wan), alive, selected

  Src address(1):

        0.0.0.0-255.255.255.255

  Dst address(1):

        0.0.0.0-255.255.255.255

Conclusion:

- FortiGate will keep referencing the performance SLA status despite how it is not being referenced by any SD WAN service or rule.

- If this is not intended, remove the interface from the SD WAN performance SLA. This will cause the FortiGate to refer to interface status or any other parameter set (such as link-monitor).   

- To avoid such circumstances - disable the 'Actions when Inactive'  - by default it is enabled.

GUI: Network -> Performance SLA -> <name of SLA>  

Related Documentation:

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-SDWAN-Performance-SLA-is-down-though-targe...

- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SD-WAN-performance-SLA-down/ta-p/217...

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-performance-SLA-for-high-...

-  https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/478384/performance-sla-link-monitoring

- https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-architecture-for-enterprise/768108/sd-wan-...