FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Article Id 194246

Description

 

This article describes how to Configure and check some diagnostic commands that help to check the SD-WAN routes and status of the links.

 

Scope

 

Any supported version of FortiGate.

Solution


Configure the two WAN interfaces as members of an SD-WAN configuration.

KB-4.1.PNG
 
Configure performance SLA that is used to check which is the best link to use.
 
Kb 4.2.PNG
 
Create a static default route pointed to the SD-WAN.
 
Kb 4.3.PNG
 
SD-WAN rule: ensure both WAN INTERFACES and the performance SLA PING are also configured in this section so that the performance SLA will dictate which ISP is the best link for each kind of traffic.
 
Kb 4.4.PNG
 
Diagnostic commands:
 
diag sys sdwan member
Member(1): interface: port2, gateway: 10.10.10.100, priority: 0, weight: 0
Member(2): interface: port3, gateway: 20.20.20.100, priority: 0, weight: 0
 
Run the following command to see all members on the SD-WAN link, as well as the priority and weight values for each link:
 
diag firewall proute list
list route policy info(vf=root):

id=2130837505 vwl_service=1(SDWAN-RULE-TEST) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=5 oif=4
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255

Run the following command to show which interface is the best choice for the performance SLA (in the example output below, '2' is the WAN2 interface while '1' is the WAN interface):
 
diag sys sdwan health-check PING
Health Check(PING):
Seq(1): state(alive), packet-loss(0.000%) latency(60.223), jitter(9.280) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(60.155), jitter(9.318) sla_map=0x0

Run the following command to show the performance SLA values for each link. Since the latency of WAN1 is higher than WAN2's in the example below, WAN2 is the priority route for the SD-WAN rule test under the diag firewall route list.
 
diag sys sdwan service  1

Service(1): Address Mode(IPV4) flags=0x0
  TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-l
  Service role: standalone
  Member sub interface:
  Members:
    1: Seq_num(2), alive, packet loss: 0.000%, selected
    2: Seq_num(1), alive, packet loss: 0.000%, selected
  Src address:
        0.0.0.0-255.255.255.255
  Dst address:
        0.0.0.0-255.255.255.255       
 
In the above, the service value '1' is the SD-WAN rule id of 'SD WAN RULE TEST'.
This command shows the preferred route taken by the SD-WAN rule.
The highest quality criteria chosen is 'PACKET LOSS'. Since no packet loss is detected on either WAN interface, the FortiGate SD-WAN rule selects both FortiGates as quality interfaces.
 
Run the following command to display a 10-minute usage history for each SD-WAN member:
 
diag sys sdwan intf-sla-log wan1
 

diagnose sys sdwan

member
service
route-tag-list
route-tag-flush
health-check
neighbor
log
sla-log
intf-sla-log
internet-service-app-ctrl-list
internet-service-app-ctrl-flush
internet-service-app-ctrl-category-list
reset
zone
route
route6

 

Note: In version 6.4 and below the commands 'diagnose sys sdwan' are replaced with 'diagnose sys virtual-wan-link'.

 

Related article: 

Technical Tip: How to configure source IP for Secure SD-WAN Performance SLA

Technical Tip : Different types of Health checks used in SD-WAN