FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff
Article Id 192268

Description
This article explains the configuration procedure that shows how to Configure a Performance SLA with TWAMP probes.

Solution
Two-Way Active Measurement Protocol defines a standard for measuring round-trip network performance between any two devices that support the TWAMP protocols.
The TWAMP-Control protocol is used to set up performance measurement sessions only via CLI.


The TWAMP architecture is composed of the following four logical entities that are responsible for starting a monitoring session and exchanging packets:

- The control-client sets up, starts, and stops TWAMP-Test sessions.
- The session-sender instantiates TWAMP-Test packets that are sent to the session-reflector.
- The session-reflector reflects a measurement packet upon receiving a TWAMP-Test packet. The session reflector does not collect packet statistics in TWAMP.
- The TWAMP server is an end system that manages one or more TWAMP sessions and is also capable of configuring per-session ports in the end points. The server listens on the TCP port. The session-reflector and server make up the TWAMP responder in an IP SLAs operation.

Configurations over Firewall

FGT-1 as TWAMP Client:

# config system virtual-wan-link
# config health-check
  
 edit SLA_TWAMP
        set server 1.1.1.1
        set protocol twamp
        set port 8008
        set security-mode authentication
        set password xxx
        set interval 500
        set packet-size 64
        set members 1 2 3                <----- *seq-num    Member sequence number.
    end

FGT-DC as TWAMP Server:

# config system probe-response
    set mode twamp
    set port 8008
    set security-mode authentication
    set password XXX
end
# config system interface
    edit port5
        set ip 1.1.1.1 255.255.255.0
        set allowaccess (…) probe-response (…)
    next
end

Both units should be in the same time zone:

# config system global
    set timezone <time zone value should be the same on both units>
end


Results:

# diag sys virtual-wan-link health-check <performance-sla-name>
Health Check(SLA_TWAMP_FGTDC):
Seq(4): state(alive), packet-loss(0.000%) latency(87.813), jitter(19.177) sla_map=0x0
Seq(5): state(alive), packet-loss(0.000%) latency(109.494), jitter(11.875) sla_map=0x0
Seq(6): state(alive), packet-loss(0.000%) latency(90.026), jitter(16.318) sla_map=0x0





Contributors