Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
Contributor

Created on ‎02-24-2025 01:21 AM

how the sd-wan SLA probing traffic is steered

greetings guys,


I am trying to understand how the sd-wan performance SLA probing traffic (for example, Ping/ICMP) is steered.

I have configured the SD-WAN performance SLA, two member interfaces are selected in the SLA, let's say, port1 (MPLS in the picture) and port2 (OL_INET in the picture). the SLA is using Ping as the probing protocol probing the detect server 10.74.x.x.

Screenshot 2025-02-24 170319.png

port 1 is an MPLS underlay interface, port 2 is an overlay based on Internet IPsec tunnel.

 

If I use the CLI in fortigate, I do see the probing traffic (ICMP echo/request) is flowing through the member interface added in the SLA.

 

diag sniffer packet OL_INET 'dst host 10.74.x.x' 4 0 a
interfaces=[OL_INET]
filters=[dst host 10.74.x.x]
2025-02-24 06:43:45.156019 OL_INET -- 10.250.a.b -> 10.74.x.x: icmp: echo request

 

diag sniffer packet OL_INET 'src host 10.74.x.x' 4 0 a
interfaces=[OL_INET]
filters=[src host 10.74.x.x]
2025-02-24 08:01:03.828714 OL_INET -- 10.74.x.x -> 10.250.a.b: icmp: echo reply

 

the 10.250.a.b in the traffic log is the IP address assigned to OL_INET, the ipsec tunnel address.

 

but the probing traffic is not showing up in the fortiAnalyzer traffic log. So, I lost the visibility to the probing traffic, like, which rule they are following? are they following the SD-WAN rule as they are local-out traffic? or are they following the traditional route in routing-table?

 

thanks for any advice.

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
Labels:
574
0 Kudos
1 Solution
kxu_FTNT
Staff
Staff

Created on ‎03-03-2025 08:54 AM

The probing traffic likely follows SD-WAN rules as a part of local-out traffic, adhering to the configured performance SLAs, which critically determine their routing. Because this traffic is categorized as local-out, it might not appear in FortiAnalyzer logs by default. To enhance visibility, ensure your logging configuration includes settings for local-out traffic or use CLI diagnostics for real-time monitoring.

View solution in original post

494
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎02-26-2025 08:42 PM

Hello Sean,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
542
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎03-03-2025 04:29 AM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
515
kxu_FTNT
Staff
Staff

Created on ‎03-03-2025 08:54 AM

The probing traffic likely follows SD-WAN rules as a part of local-out traffic, adhering to the configured performance SLAs, which critically determine their routing. Because this traffic is categorized as local-out, it might not appear in FortiAnalyzer logs by default. To enhance visibility, ensure your logging configuration includes settings for local-out traffic or use CLI diagnostics for real-time monitoring.

495
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.