Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎06-09-2025 09:39 PM

Article Id 395621

Technical Tip: Latency and Jitter measurements are incorrectly added into default application 0

Description This article describes an issue where the latency and jitter measured are incorrectly added to default application. FortiOS calculates the network performance for the application when using SD-WAN. 
Scope FortiGate v7.6.3.
Solution

Topology

kb_lat.pngThe SD-WAN configuration: 

config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "port1"
        next
    end
    config health-check
        edit "1"
            set detect-mode passive // passive health-check needs to be defined
            set recoverytime 1
            set members 0
        next
    end
end

 

The FortiGate firewall policy allows the traffic to the SSH Server:


config firewall policy
    edit 1
        set uuid f03b2310-f492-51ef-5064-02fabcede316
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set passive-wan-health-measurement enable
        set app-monitor enable
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set application-list "g-default"
        set auto-asic-offload disable
    next
end

SSH from PC to server 172.16.202.2. Latency and jitter are measured in the default application 0:

FGT_A (root) # diagnose sys link-monitor-passive admin list
      port1(123) | service=0x00000000 | latency=90.0 03-07 06:03:29 | jitter=0.0 03-07 06:03:29 | pktloss=0.0 % NA

After executing some commands on the SSH connection to trigger some traffic, the packet loss can be measured in the SSH application:

FGT_A (root) # diagnose sys link-monitor-passive admin list
      port1(123) | service=0x00000000 | latency=90.0 03-07 06:03:29 | jitter=0.0 03-07 06:03:29 | pktloss=0.0 % NA
      port1(123) | service=0x00003ebc | latency=0.0 NA | jitter=0.0 NA | pktloss=1.8 % 03-07 06:03:55

 

Logging out of the SSH connection, initiate a new SSH from PC to the same server 172.16.202.2 and execute some commands on the SSH connection to trigger some traffic. Latency and jitter are measured in the default application 0 again; packet-loss can be measured in the SSH application.

FGT_A (root) # diagnose sys link-monitor-passive admin list

port1(123) | service=0x00000000 | latency=115.0 03-07 06:11:09 | jitter=50.0 03-07 06:11:09 | pktloss=0.0 % NA
port1(123) | service=0x00003ebc | latency=0.0 NA | jitter=0.0 NA | pktloss=43.0 % 03-07 06:10:55

This issue has been addressed in v7.6.4.
113
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.