Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
Contributor

Created on ‎03-09-2025 03:13 AM

multi Required SLA Target or multi probing detect server?

greetings all,

I created two SLAs, they have the same settings (same interface participants, same SLA target, same link status metrics) but only with different detect server (probing target). SLA 1 probing 10.74.a,b, SLA 2 probing 172.29.x.y. 

2 SLA.PNG

configure.PNG

And, I added the two SLA under the same SD-WAN rule, which is with lowest cost (SLA)

sd-wan rule.PNG

the question is , what is the Boolean logic here? Let's say, 15 consecutive times of probing failure occurs to either one of the two (1 out of 2) SLAs , will the related interface become inactive? and will the SD-WAN switch to the secondary interface (the interface with higher cost)?

AND, what about if I add the two probing detect servers to the same SLA? and only use the one SLA under the SD-WAN rule?

two server.PNG

Thanks,

Sean

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
Labels:
365
0 Kudos
2 Solutions
Dhruvin_patel
Staff
Staff

Created on ‎03-09-2025 11:43 AM

Greetings!

 

If you have two separate Performance SLA Rules, both rules must fail simultaneously for the related interface to become inactive. Therefore, if only one of the two SLAs fails (e.g., 15 consecutive probing failures), the interface will not be marked as inactive, and the SD-WAN will not switch to the secondary interface.

 

When you configure multiple probing servers within a single SLA, it operates as an 'AND' circuit. This means that both probing servers must fail for the SLA to trigger a failure state. If only one server fails, the interface will remain active.

 

I hope I answered your query.

 

Regards!

Dhruvin Patel

View solution in original post

321
sean3
Contributor
In response to Dhruvin_patel

Created on ‎03-09-2025 06:53 PM Edited on ‎03-09-2025 06:54 PM

great explanation, thanks a lot, we are almost there. Can you please review my thought here?

In practice, it seems both way :

  1. multi probing detect server configured under the same performance SLA, and use the single SLA under sd-wan rule;
  2. or single probing detect server for each performance SLA but both SLA being used under sd-wan rule

can bring the same operational result.

 

In way 1, both SLA servers must fail to consider the SD-WAN member as dead. If either of them is reachable, the member is considered alive. So, in this scenario, the SD-WAN rule will not switch to the other interface if only one of the SLA server is unreachable.

In way 2, just like you mentioned, it also works in the same way as way one.

In my production, I used the way 2, because I also need visibility of each SLA performance in fortigate and FortiAnalyzer for both detect server, if I add the two server under a single SLA, then I don't have a good visibility for each of the server (as being illustrated Technical Tip: SD-WAN Performance SLA with Multiple Servers ). And I don't want the sd-wan trigger the failover if only 1 SLA fails, instead I want the failover to occur when both SLA fail (for 15 consecutive times, in my case).

 

I am grateful for all your replies and assistance.

View solution in original post

I am grateful for all your replies and assistance.
300
8 REPLIES 8
shuabhs2
New Contributor

Created on ‎03-09-2025 07:20 AM

I prefer to SLA monitor services the end users care about. O365 environment? Why not verify that office.com is reachable/performant? Similar targets are available for Google, AWS, or target your cloud-hosted ERP platform.

342
sean3
Contributor
In response to shuabhs2

Created on ‎03-10-2025 10:33 PM

thanks,

this is a hybrid environment. We are monitoring the reachability to Azure.

Could you elaborate a bit more?

In my case, we applied 2 SLA under the same SD-WAN rule. Could you please help to review the post from Dhruvin_pate down below your post? And my supplementary post after that?

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
240
0 Kudos
Dhruvin_patel
Staff
Staff

Created on ‎03-09-2025 11:43 AM

Greetings!

 

If you have two separate Performance SLA Rules, both rules must fail simultaneously for the related interface to become inactive. Therefore, if only one of the two SLAs fails (e.g., 15 consecutive probing failures), the interface will not be marked as inactive, and the SD-WAN will not switch to the secondary interface.

 

When you configure multiple probing servers within a single SLA, it operates as an 'AND' circuit. This means that both probing servers must fail for the SLA to trigger a failure state. If only one server fails, the interface will remain active.

 

I hope I answered your query.

 

Regards!

Dhruvin Patel
322
sean3
Contributor
In response to Dhruvin_patel

Created on ‎03-09-2025 06:53 PM Edited on ‎03-09-2025 06:54 PM

great explanation, thanks a lot, we are almost there. Can you please review my thought here?

In practice, it seems both way :

  1. multi probing detect server configured under the same performance SLA, and use the single SLA under sd-wan rule;
  2. or single probing detect server for each performance SLA but both SLA being used under sd-wan rule

can bring the same operational result.

 

In way 1, both SLA servers must fail to consider the SD-WAN member as dead. If either of them is reachable, the member is considered alive. So, in this scenario, the SD-WAN rule will not switch to the other interface if only one of the SLA server is unreachable.

In way 2, just like you mentioned, it also works in the same way as way one.

In my production, I used the way 2, because I also need visibility of each SLA performance in fortigate and FortiAnalyzer for both detect server, if I add the two server under a single SLA, then I don't have a good visibility for each of the server (as being illustrated Technical Tip: SD-WAN Performance SLA with Multiple Servers ). And I don't want the sd-wan trigger the failover if only 1 SLA fails, instead I want the failover to occur when both SLA fail (for 15 consecutive times, in my case).

 

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
301
Dhruvin_patel
Staff
Staff
In response to sean3

Created on ‎03-17-2025 11:16 AM

Hello Sean,

 

In way 1: It is correct , it will not move to another interface if either of them is reachable.

In way 2: it will not move to another interface unless particular SLA categorically being used in sdwan rules. 

 

Regards!

Dhruvin Patel
175
sean3
Contributor
In response to Dhruvin_patel

Created on ‎03-17-2025 10:19 PM

thanks for the update, it is highly appreciated.

Now I am confused by way 2 from your reply. In my case I use both SLAs under the same SD-WAN rule, you can see all of them from the screenshot.

What is the difference as way 1?

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
149
0 Kudos
sean3
Contributor
In response to Dhruvin_patel

Created on ‎03-19-2025 07:03 AM

hello Dhruvin,

by saying "particular SLA categorically being used in sdwan rules", you meant 1 (out of 2) particular SLA being used in SD-WAN rule. Am I understanding correctly?

In my case, both (2 out of 2) SLA are used. So, it should work in the same way as way 1, right?

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
108
0 Kudos
sean3
Contributor
In response to Dhruvin_patel

Created on ‎03-10-2025 05:59 PM

hi Dhruvin,

could you please look into my reply and share your idea.I did need your input, pleeeeeeeeeeeeeeease!

love from your client

I am grateful for all your replies and assistance.
I am grateful for all your replies and assistance.
259
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.