Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Passive WAN health measurement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passive WAN health measurement
Hi Fortinet team and all,
I would like to understand deep and dive technical functionality of passive WAN health measurement.
Could anyone share document to understand it? Like
- How it is calculating the jitter, packet loss and latency through TCP session of internet traffic?
- There will be multiple public IPs (Basically destinations) towards internet traffic, so SLA varies for every destination.
- What's the formula behind it to calculate SLA by all of the internet destination traffic?
- How can I view the sessions in FortiGate those have been used to calculate the passive SLA?
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
In SDWAN performance SLA monitors members' health.
When you configure performance SLA you will get the option to select probe mode active or passive.
1) Active mode:-
In Active monitoring, the health of the member is checked by periodically sent probes towards the configured servers to determine its performance.
2) Passive mode:-
In passive health monitoring, the health of the member is determined based on the traffic passing through the member.
FGT monitors the actual traffic flowing through the member to determine its performance.
Passive monitoring simplifies configuration and reduced the network by using the probe-free approach for measuring the performance of members.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
This is a more accurate approach than active monitoring because you measure the member performance based on the actual traffic passing through the member,
instead of measuring it based on the probes that may be unrelated to the application you want to effectively steer using SDWAN.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
Note:- Passive monitoring does not detect dead members and Hardware acceleration is disabled on the traffic subject to passive monitoring.
Configuration:-
1)first set the passive more in the health check configuration
2)Enable passive-wan-health-measurement on the firewall policies that accept traffic for the monitoring member
Once you enable passive-wan-health-measurement autoasic-offload will be disabled automatically.
Please follow the below article for your reference:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Passive-performance-SLA/ta-p/225290
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
Thanks for your reply. I have a doubt like once we enabled passive WAN health measurement in firewall policy.
There would me plenty of internet traffic say for example 10 different internet traffic, each of the internet traffic will be locatated in different location (hosting servers) and have different jitter, latency and packet loss.2
So by all the 10 TCP traffic how fortigate is calculating the SLA metric?
How can I check the TCP sessions are being used by passive health check? Is there any GUI or CLI commend?
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
The available constraints in the SLA are below:-
Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).
If health check is configured in passive mode, and SLA thresholds are set.
Passive WAN health measurement is enabled on the SD-WAN policy in this case based on the threshold exceeded SLA will take action.
E.g. :- YouTube traffic generated by the PC. When latency is introduced to the traffic on
the passive health check trigger threshold is exceeded and traffic is rerouted to other healthy interface.
config health-check
edit "Passive_Check"
set detect-mode passive
set members 1 2
config sla
edit 1
set latency-threshold 500
set jitter-threshold 500
set packetloss-threshold 10
next
edit 2
set latency-threshold 1000
set jitter-threshold 1000
set packetloss-threshold 10
next
end
next
end
In case if you have 10 TCP connections as well then based on the defined SLA limit action will be taken by the Monitor.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
Thanks for the prompt reply. sorry to say this but the answer you have given is not correct one to my question.
If there are 10 TCP session with different destination, each TCP will have different SLA metrics, how the FortiGate firewall is calculating SLA metric with all the 10 TCP session with different SLA values? What's the formula behind it.
Let's say is active sla mode it uses last 30 packet to calculate sla metrics.
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Created on 08-01-2023 10:29 PM Edited on 08-01-2023 10:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
I have checked my FortiGate firewall session table for the firewall policy where passive wan health measurement is enabled. I found that there are zero sessions as below.
Firewall policy:
Session list:
But still passive SLA is showing the sla metrics. Could you please help to understand this?
Passive_SLA:
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
In passive monitoring, SLA is calculated based on the TCP traffic leaving from the SDWAM member interface.
Could you please check if you have a TCP session on the port1 and port2 which is part of the SDWAN SLA?
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
From the output you have shared when there is no TCP session, that means Passive monitor cannot measure the SLA metrics and it shows 0 for all, but one thing to note is, it will not effect the SDWAN member state, so you will still see them UP. You have an option to use Prefer passive, which will first attempt Passive and them switch to Active if there is no traffic through the SDWAN member. For that you need to define an Active probe with some internet based servers.
How this is calculate is already explained by @pgautam and out of 10 TCP session if anyone of them exceeds the latency threshold for example during the TCP connection setup, it should trigger a WAN failover. Also important to note that you can control this based on the Firewall policy or even application and only those session matching Firewall policy or an application will be accounted for the measurements.
Regards,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,749 -
FortiClient
1,777 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1107 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.