Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sparchuri
Staff
Staff

Created on ‎05-18-2025 11:34 PM Edited on ‎05-18-2025 11:36 PM By Community Manager

Article Id 392312

Troubleshooting Tip: SD-WAN member state and performance on FortiGate CLI

Description The article describes how to check SD-WAN member status and performance using FortiGate CLI.
Scope FortiGate v7.x.x
Solution

Configure the SD-WAN zone and assign members to the zone:

 

Create SD-WAN zone:

 

config sys sdwan

    config zone
        edit "HUB2"      <----- Created a SD-WAN zone HUB2.
    next
end

 

 

Assign members to the SDWAN zone:

 

config members
    edit 30
        set interface "HUB2-VPN1-1" <----- Assign member HUB2-VPN1-1 to zone HUB2
        set zone "HUB2"
        set cost 120
        set priority 10
    next
        edit 31
            set interface "HUB2-VPN2-1" <----- Assign member HUB2-VPN2-1 to zone HUB2.
            set zone "HUB2"
            set cost 130
            set priority 10
        next
    end

end

 

Configure health-check:

 

config health-check
    edit "HUB2_HC"   <----- Create health-check HUB2_HC.
        set server "10.127.23.252" "10.127.192.34"  <----- Target servers.
        set probe-timeout 1000
        set update-cascade-interface disable
        set update-static-route disable
        set sla-fail-log-period 10
        set sla-pass-log-period 10
        set members 30 31   <----- 30 and 31 are member ids of HUB2-VPN1-1 and HUB2-VPN2-1 respectively.
            config sla
                edit 1
                    set latency-threshold 175
                    set jitter-threshold 35
                    set packetloss-threshold 2
                next
            end
        next
     end

 

Scenario 1: SDWAN members are within the SLA threshold:

 

FortiGate # diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(up, since Sat May 17 11:36:45 2025), bandwidth(up:1507bps, down:1533bps), session count(IPv4:3, IPv6:0), tx(11302622 bytes), rx(246600 bytes), latency(0.50), jitter(0.06), packet-loss(0.00).

 

Fortigate # diag sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(up, since Sat May 17 11:36:53 2025), bandwidth(up:1519bps, down:1513bps), session count(IPv4:2, IPv6:0), tx(2290545 bytes), rx(220822 bytes), latency(0.43), jitter(0.03), packet-loss(0.00).

 

In scenario 1, the members HUB2-VPN1-1 and HUB2-VPN2-1 are within the SLA threshold, and that is why the member state shows up.

 

Scenario 2: SDWAN members are not within the SLA threshold:

 

FortiGate # diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(up, since Sat May 17 11:36:45 2025), bandwidth(up:1684bps, down:1423bps), session count(IPv4:3, IPv6:0), tx(11356578 bytes), rx(299752 bytes), latency(0.49), jitter(0.06), packet-loss(7.00).

 

FortiGate # diagnose sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(up, since Sat May 17 11:36:53 2025), bandwidth(up:1716bps, down:1056bps), session count(IPv4:2, IPv6:0), tx(2343251 bytes), rx(269216 bytes), latency(0.50), jitter(0.19), packet-loss(24.00).

 

In scenario 2, there is a packet loss of 7% and 24% on members HUB2-VPN1-1 and HUB2-VPN2-1, respectively, but the member's state still shows up. The packet loss threshold is 2% for health-check HUB2_HC. The SD-WAN members fail to meet the SLA target, but they still show as up

 

Scenario 3: SDWAN members fail to meet the Link status threshold:

 

Check Interval: 20 ms

Failures before inactive: 1

Restore link after: 1

 

FortiGate# diagnose sys link-monitor interface HUB2-VPN1-1
Interface(HUB2-VPN1-1): state(down, since Sat May 17 12:01:51 2025), bandwidth(up:0bps, down:0bps), session count(IPv4:4, IPv6:0), tx(12176787 bytes), rx(354423 bytes

 

FortiGate# diagnose sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(down, since Sat May 17 12:01:51 2025), bandwidth(up:0bps, down:0bps), session count(IPv4:1, IPv6:0), tx(3108670 bytes), rx(316357 bytes).

 

In scenario 3, the members HUB2-VPN1-1 and HUB2-VPN2-1 show as down because they failed to meet the Link status threshold, but the system interface shows up.

 

FortiGate# show full sys interface HUB2-VPN2-1 | grep status
set status up <----- The system interface shows up.

 

FortiGate # diag sys link-monitor interface HUB2-VPN2-1
Interface(HUB2-VPN2-1): state(down, since Sat May 17 12:56:32 2025), bandwidth(up:32242bps, down:0bps), session count(IPv4:6316, IPv6:0), tx(5099173 bytes), rx(681952 bytes).<----- The member state, HUB2-VPN2-1, show as down

 

Checking the SD-WAN member state when troubleshooting issues related to BGP establishment or intermittent BGP flaps is beneficial.

For example, from scenario 3, if a BGP neighbor is set up with the interface as HUB2-VPN2-1the neighbor relationship will fail because the interface state is down, even though the system interface shows as up.
325
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.