FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Wallerson
Staff
Staff
Article Id 332724
Description This article describes the meaning of the SLA target field displayed via CLI.
Scope FortiGate v7.4.
Solution

The sla_map field is displayed when the Lowest cost (SLA) strategy is selected in the SDWAN rule.

To see the field, run the command 'diagnose sys sdwan service4 <id sdwan rule>' as shown below:

 

diagnose sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(2 port2 ISP-SDWAN), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected
2: Seq_num(1 port1 ISP-SDWAN), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

 

The command shows sla(0x1) for all members (Port1 and Port2). This means that all members meet the SLA target named Ping:

 

01.png

 image.png

 

When one member doesn't meet the SLA target, the field shows sla(0x0), which means the interface will not be used:

 

diagnose sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 2
Gen(2), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(1 port1 ISP-SDWAN), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected
2: Seq_num(2 port2 ISP-SDWAN), alive, sla(0x0), gid(0), cfg_order(0), local cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

 

image.png

 

In some cases, two SLA targets might be added to the same SD-WAN rule:

 

02.png

 

The following fields might be seen:

sla(0x3) -> Match both targets

sla(0x1) -> Match target 1 (Ping) - As per adding order.

sla(0x2) -> Match target 2 (Ping2) - As per adding order.

sla(0x0) -> No target match

 

Below is the output where Port1 and Port2 meet both SLA targets:

 

diagnose sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(2 port2 ISP-SDWAN), alive, sla(0x3), gid(0), cfg_order(0), local cost(0), selected
2: Seq_num(1 port1 ISP-SDWAN), alive, sla(0x3), gid(0), cfg_order(1), local cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

 

image.png

 

In the following example, Port1 meets the SLA of the target number 2 (that is Ping2 in this case) only: while Port2 meets both SLA targets:

 

diagnose sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(2 port2 ISP-SDWAN), alive, sla(0x3), gid(0), cfg_order(0), local cost(0), selected
2: Seq_num(1 port1 ISP-SDWAN), alive, sla(0x2), gid(0), cfg_order(1), local cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

 

03.png

 

If more SLA targets are added to the SD-WAN rule, the SLA map field will use different values to represent the status. The following output shows the output when 3 SLA targets are set and all of them are met by Port1 and Port2:

 

diagnose sys sdwan service4 1

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(2 port2 ISP-SDWAN), alive, sla(0x7), gid(0), cfg_order(0), local cost(0), selected
2: Seq_num(1 port1 ISP-SDWAN), alive, sla(0x7), gid(0), cfg_order(1), local cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

 

4.png

 image.png

 

The sla_map field uses a bitmask representation to reference the SLA targets and their status. 

The first configured SLA target is assigned bit 0, the second configured SLA target is assigned bit 1, and so on.

If the member meets the SLA target, the bit of the SLA target is set to 1, otherwise to 0.

The following table shows the sla_map values for three SLA targets:

 

sla_ma (hex)

SLA Target #3 (Bit 2)

Value = 2² = 4

SLA Target #2 (Bit 1)

Value = 2¹ = 2

SLA Target #1 (Bit 0)

Value = 2⁰ = 1

0x7  Pass (1)  Pass (1)  Pass (1)
0x6  Pass (1)  Pass (1)  Fail (0)
0x5  Pass (1)  Fail (0)  Pass (1)
0x4  Pass (1)  Fail (0)  Fail (0)
0x3  Fail (0)  Pass (1)  Pass (1)

0x2

 Fail (0)  Pass (1)  Fail (0)
0x1  Fail (0)  Fail (0)  Pass (1)
0x0  Fail (0)  Fail (0)  Fail (0)

 

For example, an sla_map of 0x6 means that SLA targets 3 and 2 are met, but not SLA target 1 (6 = 4 + 2 + 0).

Contributors