- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Passive WAN health measurement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passive WAN health measurement
Hi Fortinet team and all,
I would like to understand deep and dive technical functionality of passive WAN health measurement.
Could anyone share document to understand it? Like
- How it is calculating the jitter, packet loss and latency through TCP session of internet traffic?
- There will be multiple public IPs (Basically destinations) towards internet traffic, so SLA varies for every destination.
- What's the formula behind it to calculate SLA by all of the internet destination traffic?
- How can I view the sessions in FortiGate those have been used to calculate the passive SLA?
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
In SDWAN performance SLA monitors members' health.
When you configure performance SLA you will get the option to select probe mode active or passive.
1) Active mode:-
In Active monitoring, the health of the member is checked by periodically sent probes towards the configured servers to determine its performance.
2) Passive mode:-
In passive health monitoring, the health of the member is determined based on the traffic passing through the member.
FGT monitors the actual traffic flowing through the member to determine its performance.
Passive monitoring simplifies configuration and reduced the network by using the probe-free approach for measuring the performance of members.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
This is a more accurate approach than active monitoring because you measure the member performance based on the actual traffic passing through the member,
instead of measuring it based on the probes that may be unrelated to the application you want to effectively steer using SDWAN.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
Note:- Passive monitoring does not detect dead members and Hardware acceleration is disabled on the traffic subject to passive monitoring.
Configuration:-
1)first set the passive more in the health check configuration
2)Enable passive-wan-health-measurement on the firewall policies that accept traffic for the monitoring member
Once you enable passive-wan-health-measurement autoasic-offload will be disabled automatically.
Please follow the below article for your reference:-
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Passive-performance-SLA/ta-p/225290
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
Thanks for your reply. I have a doubt like once we enabled passive WAN health measurement in firewall policy.
There would me plenty of internet traffic say for example 10 different internet traffic, each of the internet traffic will be locatated in different location (hosting servers) and have different jitter, latency and packet loss.2
So by all the 10 TCP traffic how fortigate is calculating the SLA metric?
How can I check the TCP sessions are being used by passive health check? Is there any GUI or CLI commend?
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
The available constraints in the SLA are below:-
Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).
If health check is configured in passive mode, and SLA thresholds are set.
Passive WAN health measurement is enabled on the SD-WAN policy in this case based on the threshold exceeded SLA will take action.
E.g. :- YouTube traffic generated by the PC. When latency is introduced to the traffic on
the passive health check trigger threshold is exceeded and traffic is rerouted to other healthy interface.
config health-check
edit "Passive_Check"
set detect-mode passive
set members 1 2
config sla
edit 1
set latency-threshold 500
set jitter-threshold 500
set packetloss-threshold 10
next
edit 2
set latency-threshold 1000
set jitter-threshold 1000
set packetloss-threshold 10
next
end
next
end
In case if you have 10 TCP connections as well then based on the defined SLA limit action will be taken by the Monitor.
FGT measures packet loss, latency, and jitter based on the TCP traffic sent and received through the member.
In passive monitoring, latency is calculated on the RTT(Round Trip Time) of TCP connection setup and tear down. While jitter and packet loss are calculated based on the TCP header information.
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
Thanks for the prompt reply. sorry to say this but the answer you have given is not correct one to my question.
If there are 10 TCP session with different destination, each TCP will have different SLA metrics, how the FortiGate firewall is calculating SLA metric with all the 10 TCP session with different SLA values? What's the formula behind it.
Let's say is active sla mode it uses last 30 packet to calculate sla metrics.
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Created on 08-01-2023 10:29 PM Edited on 08-01-2023 10:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pgautam ,
I have checked my FortiGate firewall session table for the firewall policy where passive wan health measurement is enabled. I found that there are zero sessions as below.
Firewall policy:
Session list:
But still passive SLA is showing the sla metrics. Could you please help to understand this?
Passive_SLA:
Thanks,
Ajay M
Ajay M
Thanks,Ajay M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
In passive monitoring, SLA is calculated based on the TCP traffic leaving from the SDWAM member interface.
Could you please check if you have a TCP session on the port1 and port2 which is part of the SDWAN SLA?
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajay,
From the output you have shared when there is no TCP session, that means Passive monitor cannot measure the SLA metrics and it shows 0 for all, but one thing to note is, it will not effect the SDWAN member state, so you will still see them UP. You have an option to use Prefer passive, which will first attempt Passive and them switch to Active if there is no traffic through the SDWAN member. For that you need to define an Active probe with some internet based servers.
How this is calculate is already explained by @pgautam and out of 10 TCP session if anyone of them exceeds the latency threshold for example during the TCP connection setup, it should trigger a WAN failover. Also important to note that you can control this based on the Firewall policy or even application and only those session matching Firewall policy or an application will be accounted for the measurements.
Regards,
Related Posts
- Allowing Inter-Vlan Communication 633 Views
- SD-WAN SLA probe packets and update... 3458 Views
Labels
-
FortiGate
6,532 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.