FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff
Description This article describes the behavior of the SD-WANrules configured in manual mode when the performance sla for the interface is failing.
Scope FortiOs .
Solution

If all health-check are indicating that an interface is dead, even if it is used in the manual mode, this SD-WAN rule will be void.

 

# config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
    next
end


# config members
    edit 1
        set interface "port9"
        set gateway 10.109.31.254
    next
end


# config health-check
    edit "sla"
        set server "1.1.1.1"
        set update-static-route disable
        set members 1
    next
end


# config service
    edit 1
        set name "rule"
        set dst "8.8.8.8/32"
        set priority-members 1
    next
end
end

 

When the SLA is failing the interface is marked as dead.

 

FortiGate-1000D # di sys sdwan health-check
Health Check(sla):
Seq(1 port9): state(dead), packet-loss(45.000%) sla_map=0x0

 

The rule is disabled:

 

FortiGate-1000D # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200
Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service disabled caused by no outgoing path. <-----
Members(1):
1: Seq_num(1 port9), dead
Dst address(1):
8.8.8.8-8.8.8.8

 

To avoid this behavior in case the configured SLA is used in different rule and to have the manual rule to be matched, it is possible to configure a SLA which will monitor different server and will still be up.

 

This behaviour can cause issues when there are multiple rules and in some of them SLA is configured.

But it is also necessary to have rules in manual mode which needs to be always matched.Example: in order to tag the traffic.

Contributors