Hi Fortinet team and all,
I would like to understand deep and dive technical functionality of passive WAN health measurement.
Could anyone share document to understand it? Like
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ajay,
In SDWAN performance SLA monitors members' health.
When you configure performance SLA you will get the option to select probe mode active or passive.
1) Active mode:-
In Active monitoring, the health of the member is checked by periodically sent probes towards the configured servers to determine its performance.
2) Passive mode:-
In passive health monitoring, the health of the member is determined based on the traffic passing through the member.
FGT monitors the actual traffic flowing through the member to determine its performance.
Passive monitoring simplifies configuration and reduced the network by using the probe-free approach for measuring the performance of members.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
This is a more accurate approach than active monitoring because you measure the member performance based on the actual traffic passing through the member,
instead of measuring it based on the probes that may be unrelated to the application you want to effectively steer using SDWAN.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
Note:- Passive monitoring does not detect dead members and Hardware acceleration is disabled on the traffic subject to passive monitoring.
Configuration:-
1)first set the passive more in the health check configuration
2)Enable passive-wan-health-measurement on the firewall policies that accept traffic for the monitoring member
Once you enable passive-wan-health-measurement autoasic-offload will be disabled automatically.
Please follow the below article for your reference:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Passive-performance-SLA/ta-p/225290
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi @pgautam ,
Thanks for your reply. I have a doubt like once we enabled passive WAN health measurement in firewall policy.
There would me plenty of internet traffic say for example 10 different internet traffic, each of the internet traffic will be locatated in different location (hosting servers) and have different jitter, latency and packet loss.2
So by all the 10 TCP traffic how fortigate is calculating the SLA metric?
How can I check the TCP sessions are being used by passive health check? Is there any GUI or CLI commend?
Hi @pgautam ,
Thanks for the prompt reply. sorry to say this but the answer you have given is not correct one to my question.
If there are 10 TCP session with different destination, each TCP will have different SLA metrics, how the FortiGate firewall is calculating SLA metric with all the 10 TCP session with different SLA values? What's the formula behind it.
Let's say is active sla mode it uses last 30 packet to calculate sla metrics.
Created on 08-01-2023 10:29 PM Edited on 08-01-2023 10:32 PM
Hi @pgautam ,
I have checked my FortiGate firewall session table for the firewall policy where passive wan health measurement is enabled. I found that there are zero sessions as below.
Firewall policy:
Session list:
But still passive SLA is showing the sla metrics. Could you please help to understand this?
Passive_SLA:
Hi Ajay,
In passive monitoring, SLA is calculated based on the TCP traffic leaving from the SDWAM member interface.
Could you please check if you have a TCP session on the port1 and port2 which is part of the SDWAN SLA?
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi Ajay,
From the output you have shared when there is no TCP session, that means Passive monitor cannot measure the SLA metrics and it shows 0 for all, but one thing to note is, it will not effect the SDWAN member state, so you will still see them UP. You have an option to use Prefer passive, which will first attempt Passive and them switch to Active if there is no traffic through the SDWAN member. For that you need to define an Active probe with some internet based servers.
How this is calculate is already explained by @pgautam and out of 10 TCP session if anyone of them exceeds the latency threshold for example during the TCP connection setup, it should trigger a WAN failover. Also important to note that you can control this based on the Firewall policy or even application and only those session matching Firewall policy or an application will be accounted for the measurements.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.