| Description |
This article describes about passive performance SLA. Starting from FortiOS 7.0 and above, it’s possible to have 'performance SLA' that is less recourse intensive, as user doesn't need to target any particular server IP, it’s based on a passive measurement (using session table). |
| Scope |
Products: FortiGate v7.0 FortiGate v7.2 |
| Solution |
In some cases, the 'active probe' version of SDWAN link monitor can overwhelm the FortiGate. In such conditions, the 'passive' version can be helpful. How is passive SLA able to determine whether a link health is good or not? Well, it analyzes the session information gathered from various TCP sessions on FortiGate to determine Latency, Jitter and Packet loss on links (which is same thing active probe does).
To deploy passive performance SLA, Go to SDWAN - > New Performance SLA, under probe mode, select 'passive' then specify the interface. One can adjust the referenced SLA on the passive configuration. After the passive performance SLA is configured, apply it to a firewall policy to activate the SLA.
# config firewall policy edit 4 set passive-wan-health-measurement enable end
Note: Once passive-wan-health-measurement is enabled on the policy, auto-asic-offload will be disabled.
Also note the 'tcp_3way_rtt' flag on session 'state', this shows passive SD-WAN probe is acting or analyzing this session. Reason for 'no NPU offload' is also detailed in the session.
Once 'passive health check' is enable on a policy, NPU offloading cannot be enabled on the policy.
To verify the passive probe, use:
# diagnose sys link-monitor-passive interface
Interface wan1 (5): Default(0x00000000): latency=160.0 15:31:23, jitter=0.0 14:56:30, pktloss=0.0 % NA |
