Fortinet white logo
Fortinet white logo

Cookbook

SD-WAN rules - lowest cost (SLA)

SD-WAN rules - lowest cost (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality.
  • Manual (manual): Interfaces are manually assigned a priority.
  • Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-WAN rules - best quality.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA).

When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to forward traffic.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms.

To configure an SD-WAN rule to use Lowest Cost (SLA):
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitter threshold = 5ms. See Performance SLA - link monitoring.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:

    Field

    Setting

    Internet Service

    Google-Gmail

    Strategy

    Lowest Cost (SLA)

    Interface preference

    wan1 and wan2

    Required SLA target

    google#1 (created in step 2).

  7. Click OK to create the rule.
To configure an SD-WAN rule to use sla:
config system virtual-wan-link
    config members
        edit 1
            set interface "wan1"
            set cost 10
        next
        edit 2
            set interface "wan2"
            set cost 5
        next
    end

    config health-check
        edit "google"
            set server "google.com"
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 10
                    set jitter-threshold 5
                next
            end
        next
    end
    config service
        edit 1
            set name "gmail"
            set mode sla
            set internet-service enable
            set internet-service-id 65646
            config sla
                edit "google"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end
To diagnose the Performance SLA status:
FGT # diagnose sys virtual-wan-link health-check google
Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1
Service(1): Address Mode(IPV4) flags=0x0

    TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
    Members:<<BR>>

        1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected
        2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

    Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the requirements, wan2 will be used.

If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-members would be used.

Related Videos

sidebar video

SDWAN Rule Improvements: Cost Parameter

  • 1,871 views
  • 5 years ago

SD-WAN rules - lowest cost (SLA)

SD-WAN rules - lowest cost (SLA)

SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of five modes:

  • auto: Interfaces are assigned a priority based on quality.
  • Manual (manual): Interfaces are manually assigned a priority.
  • Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-WAN rules - best quality.
  • Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
  • Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA).

When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to forward traffic.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link quality must meet a standard of latency: 10ms, and jitter: 5ms.

To configure an SD-WAN rule to use Lowest Cost (SLA):
  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating the SD-WAN interface for details.
  2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and Jitter threshold = 5ms. See Performance SLA - link monitoring.
  3. Go to Network > SD-WAN Rules.
  4. Click Create New. The Priority Rule page opens.
  5. Enter a name for the rule, such as gmail.
  6. Configure the following settings:

    Field

    Setting

    Internet Service

    Google-Gmail

    Strategy

    Lowest Cost (SLA)

    Interface preference

    wan1 and wan2

    Required SLA target

    google#1 (created in step 2).

  7. Click OK to create the rule.
To configure an SD-WAN rule to use sla:
config system virtual-wan-link
    config members
        edit 1
            set interface "wan1"
            set cost 10
        next
        edit 2
            set interface "wan2"
            set cost 5
        next
    end

    config health-check
        edit "google"
            set server "google.com"
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 10
                    set jitter-threshold 5
                next
            end
        next
    end
    config service
        edit 1
            set name "gmail"
            set mode sla
            set internet-service enable
            set internet-service-id 65646
            config sla
                edit "google"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end
To diagnose the Performance SLA status:
FGT # diagnose sys virtual-wan-link health-check google
Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys virtual-wan-link service 1
Service(1): Address Mode(IPV4) flags=0x0

    TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
    Members:<<BR>>

        1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected
        2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

    Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the requirements, wan2 will be used.

If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-members would be used.