Fortinet black logo

Handbook

Using the best quality strategy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:949229
Download PDF

Using the best quality strategy

The best quality strategy is based on the performance of your network. You can configure SD-WAN rules to dynamically route traffic through the SD-WAN interfaces that have the best link quality. The FortiGate uses the server information that you configured for link health monitoring against the quality criteria that you configure.

The FortiGate can measure link quality based on latency, jitter, packet loss, or bandwidth. For example, you can use the bandwidth options to configure a rule for applications that are primarily used for download and another rule for applications that are primarily used for uploading.

Configure the best quality strategy – GUI
  1. Go to Network > SD-WAN Rules.
  2. Select Create New.
  3. In the Name field, enter a name for the rule.
  4. In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
  5. GUI option

    Description

    Additional configuration steps

    Source address

    Match traffic based on source IP address.

    1. Select +.
    2. In the Select Entries window, select one or more source IP addresses. Select Close.

    User group

    Match traffic based on users and user groups.

    1. Select +.
    2. In the Select Entries window, select one or more users and user groups. Select Close.
  6. In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
  7. GUI option

    Description

    Additional configuration steps

    Address

    Match traffic based on destination IP address, destination port number, and type of service (ToS).

    If you configure this option, you can’t configure Internet Service or Application options.

    1. Select +.
    2. In the Select Entries window, select one or more destination IP addresses. Select Close.
    3. In the Protocol number field, select TCP, UDP, ANY, or Specify.
    4. If you select TCP or UDP, specify a Port range.
    5. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

    Internet Service

    Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more Internet services or Internet service groups from the list.
    3. Select Close.

    Application

    Match traffic based on applications and application control groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more applications or application control groups.
    3. Select Close.
  8. In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
  9. GUI option Description Additional configuration steps
    Strategy The strategy that you want the SD-WAN rules to use. Select Best Quality.
    Interface preference

    One or more interfaces, in order of priority, that you want the FortiGate to use.

    If you select more than one interface, the FortiGate uses the first interface in the list until the quality of that link falls below the quality of the next interface in the list. Then it uses the next interface in the list. You can configure the link quality threshold in the CLI. The default is 10%.

    Note that although the link-cost-threshold setting is defined as a percentage, you can set it to a value higher than 100%. For example, if you want the FortiGate to change interfaces only when the next link is at least five times better than the current link, set the link-cost-threshold value to 500.

    1. In the Interface preference field, select +.
    2. In the Select Entries window, select one or more interfaces. Select Close.
    3. Optionally, change the link quality threshold:

    config system virtual-wan-link

    config service

    edit <rule_id>

    set link-cost-threshold <percentage>

    next

    end

    end

    The range is 0 to 10000000. The default is 10.

    Measured SLA

    The name of the performance SLA that includes the servers that you want the FortiGate to use to measure the quality of the links.

    If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.

    Select the name of the performance SLA from the drop-down list, or select + to create a new performance SLA. Select Close.
    Quality criteria

    The criteria that you want the FortiGate to use when it measures and compares the quality of the interfaces in the interface preference list, including latency, jitter, packet loss, downstream bandwidth, upstream bandwidth, and bidirectional bandwidth.

    You can also create a custom profile that allows you to use one or more of these as criteria. The FortiGate then uses the following formula to calculate link quality: (a*latency) + (b*jitter) + (c*packet loss) + (d/bandwidth). The larger the value, the more weight that criteria will have in the selection. Leave the weight value at zero to exclude that criteria from the equation.

    This field appears only if you select more than one interface in the Interface preference field.

    1. Select the criteria option that you want the FortiGate to use to measure the quality of the links.
    2. If you select custom-profile-1, set weights for each criteria in the latency-weight, jitter-weight, packet-loss-weight, and bandwidth-weight fields.
  10. Select OK.
  11. Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the best quality strategy – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

next

end

end

Configure the source parameters:

CLI option

Description

Additional configuration steps

set {src | src6} <address_list>

This is the same as the Source address option in the GUI.

None

set groups <group_list>

This is the same as the User group option in the GUI.

None

Configure the destination parameters:

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option

Description

Additional configuration steps

set mode priority

This is the same as the Best Quality in the GUI.

None

set priority-members <member_sequence_list>

This is the same as the Interface preference option in the GUI.

None

set health-check <sla_name>

This is the same as the Measured SLA option in the GUI.

None

set link-cost-factor {latency | jitter | packet-loss | inbandwidth | outbandwidth | bibandwidth | custom-profile-1}

This is the same as the Quality criteria option in the GUI.

If you set this to custom-profile-1, configure the following:

set latency-weight <weight>

set jitter-weight <weight>

set packet-loss-weight <weight>

set bandwidth <weight>

Using the best quality strategy

The best quality strategy is based on the performance of your network. You can configure SD-WAN rules to dynamically route traffic through the SD-WAN interfaces that have the best link quality. The FortiGate uses the server information that you configured for link health monitoring against the quality criteria that you configure.

The FortiGate can measure link quality based on latency, jitter, packet loss, or bandwidth. For example, you can use the bandwidth options to configure a rule for applications that are primarily used for download and another rule for applications that are primarily used for uploading.

Configure the best quality strategy – GUI
  1. Go to Network > SD-WAN Rules.
  2. Select Create New.
  3. In the Name field, enter a name for the rule.
  4. In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
  5. GUI option

    Description

    Additional configuration steps

    Source address

    Match traffic based on source IP address.

    1. Select +.
    2. In the Select Entries window, select one or more source IP addresses. Select Close.

    User group

    Match traffic based on users and user groups.

    1. Select +.
    2. In the Select Entries window, select one or more users and user groups. Select Close.
  6. In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
  7. GUI option

    Description

    Additional configuration steps

    Address

    Match traffic based on destination IP address, destination port number, and type of service (ToS).

    If you configure this option, you can’t configure Internet Service or Application options.

    1. Select +.
    2. In the Select Entries window, select one or more destination IP addresses. Select Close.
    3. In the Protocol number field, select TCP, UDP, ANY, or Specify.
    4. If you select TCP or UDP, specify a Port range.
    5. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.

    Internet Service

    Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more Internet services or Internet service groups from the list.
    3. Select Close.

    Application

    Match traffic based on applications and application control groups.

    If you configure this option, you can’t configure the destination Address options.

    1. Select +.
    2. In the Select Entries window, select one or more applications or application control groups.
    3. Select Close.
  8. In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
  9. GUI option Description Additional configuration steps
    Strategy The strategy that you want the SD-WAN rules to use. Select Best Quality.
    Interface preference

    One or more interfaces, in order of priority, that you want the FortiGate to use.

    If you select more than one interface, the FortiGate uses the first interface in the list until the quality of that link falls below the quality of the next interface in the list. Then it uses the next interface in the list. You can configure the link quality threshold in the CLI. The default is 10%.

    Note that although the link-cost-threshold setting is defined as a percentage, you can set it to a value higher than 100%. For example, if you want the FortiGate to change interfaces only when the next link is at least five times better than the current link, set the link-cost-threshold value to 500.

    1. In the Interface preference field, select +.
    2. In the Select Entries window, select one or more interfaces. Select Close.
    3. Optionally, change the link quality threshold:

    config system virtual-wan-link

    config service

    edit <rule_id>

    set link-cost-threshold <percentage>

    next

    end

    end

    The range is 0 to 10000000. The default is 10.

    Measured SLA

    The name of the performance SLA that includes the servers that you want the FortiGate to use to measure the quality of the links.

    If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.

    Select the name of the performance SLA from the drop-down list, or select + to create a new performance SLA. Select Close.
    Quality criteria

    The criteria that you want the FortiGate to use when it measures and compares the quality of the interfaces in the interface preference list, including latency, jitter, packet loss, downstream bandwidth, upstream bandwidth, and bidirectional bandwidth.

    You can also create a custom profile that allows you to use one or more of these as criteria. The FortiGate then uses the following formula to calculate link quality: (a*latency) + (b*jitter) + (c*packet loss) + (d/bandwidth). The larger the value, the more weight that criteria will have in the selection. Leave the weight value at zero to exclude that criteria from the equation.

    This field appears only if you select more than one interface in the Interface preference field.

    1. Select the criteria option that you want the FortiGate to use to measure the quality of the links.
    2. If you select custom-profile-1, set weights for each criteria in the latency-weight, jitter-weight, packet-loss-weight, and bandwidth-weight fields.
  10. Select OK.
  11. Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the best quality strategy – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

next

end

end

Configure the source parameters:

CLI option

Description

Additional configuration steps

set {src | src6} <address_list>

This is the same as the Source address option in the GUI.

None

set groups <group_list>

This is the same as the User group option in the GUI.

None

Configure the destination parameters:

CLI option

Description

Additional configuration steps

set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number>

This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

For more information, see the FortiOS CLI Reference.

set internet-service enable

This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option

Description

Additional configuration steps

set mode priority

This is the same as the Best Quality in the GUI.

None

set priority-members <member_sequence_list>

This is the same as the Interface preference option in the GUI.

None

set health-check <sla_name>

This is the same as the Measured SLA option in the GUI.

None

set link-cost-factor {latency | jitter | packet-loss | inbandwidth | outbandwidth | bibandwidth | custom-profile-1}

This is the same as the Quality criteria option in the GUI.

If you set this to custom-profile-1, configure the following:

set latency-weight <weight>

set jitter-weight <weight>

set packet-loss-weight <weight>

set bandwidth <weight>