FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 270890

This article describes how to solve an issue where the user receives too many SDWAN SLA notifications after calling 'virtual wan link status' under an automation trigger.

Scope All supported versions of FortiOS.

Consider an example where it is a requirement to receive the notifications for an SD-WAN specific violation status. It is not possible to select a specific SLA trigger under automation, so the 'virtual WAN link' status is configured as the option for the automation trigger and the corresponding log ID is 22923. The same log ID will be generated for many other SD-WAN alerts. For example:


SD-WAN sla notification


The member started forwarding traffic. If the requirement is to receive a notification only for specific SLA notification, follow the steps below:


date=2023-08-28 time=17:10:51 eventtime=1693235451844980709 tz="+0200" logid="0113022923" type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN status" eventtype="Health Check" healthcheck="testuy" slatargetid=1 member="1" msg="Member status changed. Member out-of-sla."


Next, use any of the above fields as a filter so only the logs which match that filter will send alerts.

In this example, the requirement is an alert for all logs which return 'testuy' as the health check value.


To set this up, configure the automation trigger as below:




Here, 'healthcheck' is name of the attribute in log and 'testuy' is the value of that attribute.

The only additional setting necessary to configure is the addition of an extra filter based on the name and value in the log to ensure only relevant logs are received.