Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff & Editor
Staff & Editor

Created on ‎09-08-2022 07:31 PM Edited on ‎11-18-2025 03:13 AM By Moderator

Article Id 223230

Technical Tip: SD-WAN Rule in Manual mode and Performance SLA

Description This article describes the behavior of the SD-WAN Rules configured in Manual mode when the Performance SLA for the interface is failing.
Scope FortiOS.
Solution

The manual strategy does not require the configuration of a performance SLA. However, performance SLA rules can be configured to monitor the members' status. If all Performance SLA health-checks indicate that an interface is dead, even if this interface is used in a manual mode SD-WAN Rule, this SD-WAN rule will be void.

 

config system sdwan
    set status enable
        config zone
            edit "virtual-wan-link"
            next

        end

        config members
            edit 1
                set interface "port9"
                set gateway 10.109.31.254

                set zone "virtual-wan-link"

            next
        end

        config health-check
            edit "sla"
                set server "1.1.1.1"
                set update-static-route disable
                set members 1
            next
        end

        config service
            edit 1
                set name "rule"
                set dst "8.8.8.8/32"
                set priority-members 1
            next
        end
end

 

When the Performance SLA is failing, the interface is marked as dead:

 

diagnose system sdwan health-check
Health Check(sla):
Seq(1 port9): state(dead), packet-loss(45.000%) sla_map=0x0

 

The SD-WAN rule is disabled:

 

diagnose system sdwan service

Service(1): Address Mode(IPV4) flags=0x200
Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service disabled caused by no outgoing path. <-
Members(1):
1: Seq_num(1 port9), dead
Dst address(1):
8.8.8.8-8.8.8.8

 

To avoid this behavior, one of the following options can be applied:

  • Delete ALL related health-checks for which the members are dead. Note that without a health-check, members are considered alive or dead according to the interface status.
  • Configure at least one health-check for which the members will be alive.

 

This behavior can cause issues when there are multiple rules, and in some of them, the SLA is configured.

However, it is also necessary to have rules in manual mode that are always matched. For example, to tag the traffic.

 

Related article:
Technical Tip: SD-WAN rule in manual mode avoid Performance SLA failed
Labels:
5637
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.