Fortinet white logo
Fortinet white logo

Administration Guide

Dynamic application steering with lowest cost and best quality strategies

Dynamic application steering with lowest cost and best quality strategies

In this example, the SD-WAN has three members: two ISPs (DIA_1 and DIA_2) that are used for access to internet applications, and an MPLS link that is used exclusively as a backup for business critical applications.

Business applications, such as Office365, Google, Dropbox, and SIP, use the Lowest Cost (SLA) strategy to provide application steering, and traffic falls back to MPLS only if both ISP1 and ISP2 are down. Non-business applications, such as Facebook and Youtube, use the Best Quality strategy to choose between the ISPs.

To configure the SD-WAN members, static route, and firewall policy in the GUI:
  1. Add port1 (DIA_1), port2 (DIA_2), and port3 (MPLS) as SD-WAN members. Set the cost of DIA_1 and DIA_2 to 0, and MPLS to 20. See Configuring the SD-WAN interface for details.

  2. Configure a static route. See Adding a static route for details.
  3. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the GUI:
  1. Go to Network > SD-WAN Rules, and click Create New.
  2. Set the name to BusinessCriticalApps.

    This rule will steer your business critical traffic to the appropriate link based on the Lowest Cost (SLA).

  3. Set Source address to all.
  4. Under Destination, set Application to your required applications. In this example: Microsoft.Office.365, Microsoft.Office.Online, Google.Docs, Dropbox, and SIP.
  5. Under Outgoing Interfaces, select Lowest Cost (SLA).

    The lowest cost is defined in the SD-WAN member interface settings (see Configuring the SD-WAN interface). The lowest possible cost is 0, which represents the most preferred link. In this example, DIA_1 and DIA_2 both have a cost of 0, while MPLS has a cost of 20 because it is used for backup.

  6. In Interface preference, add the interfaces in order of preference when the cost of the links is tied. In this example, DIA_1, DIA_2, then MPLS.

    MPLS will always be chosen last, because it has the highest cost. DIA_1 and DIA_2 have the same cost, so an interface is selected based on their order in the Interface preference list.

  7. Set Required SLA target to ensure that only links that pass your SLA target are chosen in this SD-WAN rule:
    1. Click in the Required SLA target field.
    2. In the Select Entries pane, click Create. The New Performace SLA pane opens.
    3. Set Name to BusinessCritical_HC.

      This health check is used for business critical applications in your SD-WAN rule.

    4. Leave Protocol set to Ping, and add up to two servers, such as office.com and google.com.
    5. Set Participants to Specify, and add all three interfaces: DIA_1, DIA_2, and MPLS.
    6. Enable SLA Target.

      The attributes in your target determine the quality of your link. The SLA target of each link is compared when determining which link to use based on the lowest cost. Links that meet the SLA target are preferred over links that fail, and move to the next step of selection based on cost. If no links meet the SLA target, then they all move to the next step.

      In this example, disable Latency threshold and Jitter threshold, and set Packet loss threshold to 1.

    7. Click OK.
    8. Select the new performance SLA to set it as the Required SLA target.

    When multiple SLA targets are added, you can choose which target to use in the SD-WAN rule.

  8. Click OK to create the SD-WAN rule.
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the GUI:
  1. Go to Network > SD-WAN Rules, and click Create New.
  2. Set the name to NonBusinessCriticalApps.

    This rule will steer your non-business critical traffic to the appropriate link based on the Best Quality. No SLA target must be met, as the best link is selected based on the configured quality criteria and interface preference order.

  3. Set Source address to all.
  4. Under Destination, set Application to your required applications. In this example: Facebook, and Youtube.
  5. Under Outgoing Interfaces, select Best Quality.
  6. In Interface preference, add the interfaces in order of preference.

    By default, a more preferred link has an advantage of 10% over a less preferred link. For example, when latency is used, the preferred link’s calculated latency = real latency / (1+10%).

    Tooltip

    The preferred link advantage can be customized in the CLI when the mode is priority (Best Quality) or auto:

    config system sdwan
        config service
            edit <id>
                set link-cost-threshold <integer>
            next
        end
    end
    
  7. Create and apply a new performance SLA profile:
    1. Click in the Measured SLA field.
    2. In the drop-down list, click Create. The New Performace SLA pane opens.
    3. Set Name to NonBusinessCritical_HC.

      This health check is used for non-business critical applications in your SD-WAN rule.

    4. Leave Protocol set to Ping, and add up to two servers, such as youtube.com and facebook.com.
    5. Set Participants to Specify, and add the DIA_1 and DIA_2 interfaces. In this example, MPLS is not used for non-business critical applications.
    6. Leave SLA Target disabled.
    7. Click OK.
    8. Select the new performance SLA from the list to set it as the Measured SLA.
  8. Set Quality criteria as required. In this example, Latency is selected.

    For bandwidth related criteria, such as Downstream, Upstream, and Bandwidth (bi-directional), the selection is based on available bandwidth. An estimated bandwidth should be configured on the interface to provide a baseline, maximum available bandwidth.

  9. Click OK to create the SD-WAN rule.
To configure the SD-WAN members, static route, and firewall policy in the CLI:
  1. Configure the interfaces:
    config system interface 
        edit "port1"
            set ip <class_ip&net_netmask>
            set alias "DIA_1"
            set role wan
        next
        edit "port2"
            set ip <class_ip&net_netmask>
            set alias "DIA_2"
            set role wan
        next
        edit "port3"
            set ip <class_ip&net_netmask>
            set alias "MPLS"
            set role wan
        next
    end
  2. Configure the SD-WAN members:
    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port1"
                set gateway 172.16.20.2
            next
            edit 2
                set interface "port2"
                set gateway 172.17.80.2
            next
            edit 3
                set interface "port3"
                set gateway 10.100.20.2
                set cost 20
            next
        end
    end
    
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

  3. Configure a static route. See Adding a static route for details.
  4. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the CLI:
  1. Configure the BusinessCriticalApps_HC health-check:
    config system sdwan
        config health-check
            edit "BusinessCriticalApps_HC"
                set server "office.com" "google.com"
                set members 1 2 3
                config sla
                    edit 1
                        set link-cost-factor packet-loss
                        set packetloss-threshold 1
                    next
                end
            next
        end
    end
  2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
    config system sdwan
        config service
            edit 1
                set name "BusinessCriticalApps"
                set mode sla
                set src "all"
                set internet-service enable
                set internet-service-app-ctrl 17459 16541 33182 16177 34640
                config sla
                    edit "BusinessCriticalApps_HC"
                        set id 1
                    next
                end
                set priority-members 1 2 3
            next
        end
    end
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the CLI:
  1. Configure the nonBusinessCriticalApps_HC health-check:
    config system sdwan
        config health-check
            edit "NonBusinessCriticalApps_HC"
                set server "youtube.com" "facebook.com"
                set members 1 2
            next
        end
    end
  2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
    config system sdwan
        config service
            edit 4
                set name "NonBusinessCriticalApps"
                set mode priority
                set src "all"
                set internet-service enable
                set internet-service-app-ctrl 15832 31077
                set health-check "NonBusinessCriticalApps_HC"
                set priority-members 1 2
            next
        end
    end

Verification

Check the following GUI pages, and run the following CLI commands to confirm that your traffic is being steered by the SD-WAN rules.

Health checks

To verify the status of each of the health checks in the GUI:
  1. Go to Network > Performance SLA and select each of the health checks from the list.

To verify the status of each of the health checks in the CLI:
# diagnose sys sdwan health-check 
Health Check(BusinessCritical_HC): 
Seq(1 port1): state(alive), packet-loss(0.000%) latency(12.884), jitter(0.919) sla_map=0x1
Seq(2 port2): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.723) sla_map=0x1
Seq(3 port3): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.923) sla_map=0x1
Health Check(NonBusinessCritical_HC): 
Seq(1 port1): state(alive), packet-loss(0.000%) latency(6.888), jitter(0.953) sla_map=0x0
Seq(2 port2): state(alive), packet-loss(0.000%) latency(6.805), jitter(0.830) sla_map=0x0

Rule members and hit count

To verify the active members and hit count of the SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN Rules.

    The interface that is currently selected by the rule has a checkmark next to its name in the Members column. Hover the cursor over the checkmark to open a tooltip that gives the reason why that member is selected. If multiple members are selected, only the highest ranked member is highlighted (unless the mode is Maximize Bandwidth (SLA)).

To verify the active members and hit count of the SD-WAN rule in the CLI:
# diagnose sys sdwan service 
 
Service(3): Address Mode(IPV4) flags=0x0
  Gen(13), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members: 
    1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
    2: Seq_num(2 port2), alive, sla(0x1), cfg_order(1), cost(0), selected
    3: Seq_num(3 port3), alive, sla(0x1), cfg_order(2), cost(20), selected
  Internet Service: Dropbox(4294836727,0,0,0 17459) Google.Docs(4294836992,0,0,0 16541) Microsoft.Office.365(4294837472,0,0,0 33182) Microsoft.Office.Online(4294837475,0,0,0 16177) SIP(4294837918,0,0,0 34640) 
  Src address: 
	0.0.0.0-255.255.255.255
 
Service(4): Address Mode(IPV4) flags=0x0
  Gen(211), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(NonBusinessCritical_HC)
  Members: 
    1: Seq_num(1 port1), alive, latency: 5.712, selected
    2: Seq_num(2 port2), alive, latency: 5.511, selected
  Internet Service: Facebook(4294836806,0,0,0 15832) YouTube(4294838537,0,0,0 31077) 
  Src address: 
	0.0.0.0-255.255.255.255

Applications and sessions

To verify sessions in FortiView:
  1. Go to a dashboard and add the Top Cloud Applications by Bytes widget. See Cloud application view for details.
  2. Drill down on an application, such as YouTube, then select the Sessions tab.

To verify applications identified by Application Control in SD-WAN:
# diagnose sys sdwan internet-service-app-ctrl-list

Facebook(15832 4294836697): 31.13.67.20 6 443 Fri April 17 22:33:39 2020
Facebook(15832 4294836697): 31.13.67.35 6 443 Fri April 17 22:33:41 2020
Facebook(15832 4294836697): 31.13.70.36 6 443 Fri April 17 22:36:41 2020
Facebook(15832 4294836697): 157.240.11.22 6 443 Fri April 17 22:36:42 2020
Facebook(15832 4294836697): 157.240.11.35 6 443 Fri April 17 22:36:41 2020
YouTube(31077 4294838227): 172.217.24.150 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 172.217.25.78 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 216.58.220.129 6 443 Fri April 17 22:32:34 2020 

Dynamic application steering with lowest cost and best quality strategies

Dynamic application steering with lowest cost and best quality strategies

In this example, the SD-WAN has three members: two ISPs (DIA_1 and DIA_2) that are used for access to internet applications, and an MPLS link that is used exclusively as a backup for business critical applications.

Business applications, such as Office365, Google, Dropbox, and SIP, use the Lowest Cost (SLA) strategy to provide application steering, and traffic falls back to MPLS only if both ISP1 and ISP2 are down. Non-business applications, such as Facebook and Youtube, use the Best Quality strategy to choose between the ISPs.

To configure the SD-WAN members, static route, and firewall policy in the GUI:
  1. Add port1 (DIA_1), port2 (DIA_2), and port3 (MPLS) as SD-WAN members. Set the cost of DIA_1 and DIA_2 to 0, and MPLS to 20. See Configuring the SD-WAN interface for details.

  2. Configure a static route. See Adding a static route for details.
  3. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the GUI:
  1. Go to Network > SD-WAN Rules, and click Create New.
  2. Set the name to BusinessCriticalApps.

    This rule will steer your business critical traffic to the appropriate link based on the Lowest Cost (SLA).

  3. Set Source address to all.
  4. Under Destination, set Application to your required applications. In this example: Microsoft.Office.365, Microsoft.Office.Online, Google.Docs, Dropbox, and SIP.
  5. Under Outgoing Interfaces, select Lowest Cost (SLA).

    The lowest cost is defined in the SD-WAN member interface settings (see Configuring the SD-WAN interface). The lowest possible cost is 0, which represents the most preferred link. In this example, DIA_1 and DIA_2 both have a cost of 0, while MPLS has a cost of 20 because it is used for backup.

  6. In Interface preference, add the interfaces in order of preference when the cost of the links is tied. In this example, DIA_1, DIA_2, then MPLS.

    MPLS will always be chosen last, because it has the highest cost. DIA_1 and DIA_2 have the same cost, so an interface is selected based on their order in the Interface preference list.

  7. Set Required SLA target to ensure that only links that pass your SLA target are chosen in this SD-WAN rule:
    1. Click in the Required SLA target field.
    2. In the Select Entries pane, click Create. The New Performace SLA pane opens.
    3. Set Name to BusinessCritical_HC.

      This health check is used for business critical applications in your SD-WAN rule.

    4. Leave Protocol set to Ping, and add up to two servers, such as office.com and google.com.
    5. Set Participants to Specify, and add all three interfaces: DIA_1, DIA_2, and MPLS.
    6. Enable SLA Target.

      The attributes in your target determine the quality of your link. The SLA target of each link is compared when determining which link to use based on the lowest cost. Links that meet the SLA target are preferred over links that fail, and move to the next step of selection based on cost. If no links meet the SLA target, then they all move to the next step.

      In this example, disable Latency threshold and Jitter threshold, and set Packet loss threshold to 1.

    7. Click OK.
    8. Select the new performance SLA to set it as the Required SLA target.

    When multiple SLA targets are added, you can choose which target to use in the SD-WAN rule.

  8. Click OK to create the SD-WAN rule.
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the GUI:
  1. Go to Network > SD-WAN Rules, and click Create New.
  2. Set the name to NonBusinessCriticalApps.

    This rule will steer your non-business critical traffic to the appropriate link based on the Best Quality. No SLA target must be met, as the best link is selected based on the configured quality criteria and interface preference order.

  3. Set Source address to all.
  4. Under Destination, set Application to your required applications. In this example: Facebook, and Youtube.
  5. Under Outgoing Interfaces, select Best Quality.
  6. In Interface preference, add the interfaces in order of preference.

    By default, a more preferred link has an advantage of 10% over a less preferred link. For example, when latency is used, the preferred link’s calculated latency = real latency / (1+10%).

    Tooltip

    The preferred link advantage can be customized in the CLI when the mode is priority (Best Quality) or auto:

    config system sdwan
        config service
            edit <id>
                set link-cost-threshold <integer>
            next
        end
    end
    
  7. Create and apply a new performance SLA profile:
    1. Click in the Measured SLA field.
    2. In the drop-down list, click Create. The New Performace SLA pane opens.
    3. Set Name to NonBusinessCritical_HC.

      This health check is used for non-business critical applications in your SD-WAN rule.

    4. Leave Protocol set to Ping, and add up to two servers, such as youtube.com and facebook.com.
    5. Set Participants to Specify, and add the DIA_1 and DIA_2 interfaces. In this example, MPLS is not used for non-business critical applications.
    6. Leave SLA Target disabled.
    7. Click OK.
    8. Select the new performance SLA from the list to set it as the Measured SLA.
  8. Set Quality criteria as required. In this example, Latency is selected.

    For bandwidth related criteria, such as Downstream, Upstream, and Bandwidth (bi-directional), the selection is based on available bandwidth. An estimated bandwidth should be configured on the interface to provide a baseline, maximum available bandwidth.

  9. Click OK to create the SD-WAN rule.
To configure the SD-WAN members, static route, and firewall policy in the CLI:
  1. Configure the interfaces:
    config system interface 
        edit "port1"
            set ip <class_ip&net_netmask>
            set alias "DIA_1"
            set role wan
        next
        edit "port2"
            set ip <class_ip&net_netmask>
            set alias "DIA_2"
            set role wan
        next
        edit "port3"
            set ip <class_ip&net_netmask>
            set alias "MPLS"
            set role wan
        next
    end
  2. Configure the SD-WAN members:
    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port1"
                set gateway 172.16.20.2
            next
            edit 2
                set interface "port2"
                set gateway 172.17.80.2
            next
            edit 3
                set interface "port3"
                set gateway 10.100.20.2
                set cost 20
            next
        end
    end
    
    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

  3. Configure a static route. See Adding a static route for details.
  4. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the CLI:
  1. Configure the BusinessCriticalApps_HC health-check:
    config system sdwan
        config health-check
            edit "BusinessCriticalApps_HC"
                set server "office.com" "google.com"
                set members 1 2 3
                config sla
                    edit 1
                        set link-cost-factor packet-loss
                        set packetloss-threshold 1
                    next
                end
            next
        end
    end
  2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
    config system sdwan
        config service
            edit 1
                set name "BusinessCriticalApps"
                set mode sla
                set src "all"
                set internet-service enable
                set internet-service-app-ctrl 17459 16541 33182 16177 34640
                config sla
                    edit "BusinessCriticalApps_HC"
                        set id 1
                    next
                end
                set priority-members 1 2 3
            next
        end
    end
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the CLI:
  1. Configure the nonBusinessCriticalApps_HC health-check:
    config system sdwan
        config health-check
            edit "NonBusinessCriticalApps_HC"
                set server "youtube.com" "facebook.com"
                set members 1 2
            next
        end
    end
  2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
    config system sdwan
        config service
            edit 4
                set name "NonBusinessCriticalApps"
                set mode priority
                set src "all"
                set internet-service enable
                set internet-service-app-ctrl 15832 31077
                set health-check "NonBusinessCriticalApps_HC"
                set priority-members 1 2
            next
        end
    end

Verification

Check the following GUI pages, and run the following CLI commands to confirm that your traffic is being steered by the SD-WAN rules.

Health checks

To verify the status of each of the health checks in the GUI:
  1. Go to Network > Performance SLA and select each of the health checks from the list.

To verify the status of each of the health checks in the CLI:
# diagnose sys sdwan health-check 
Health Check(BusinessCritical_HC): 
Seq(1 port1): state(alive), packet-loss(0.000%) latency(12.884), jitter(0.919) sla_map=0x1
Seq(2 port2): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.723) sla_map=0x1
Seq(3 port3): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.923) sla_map=0x1
Health Check(NonBusinessCritical_HC): 
Seq(1 port1): state(alive), packet-loss(0.000%) latency(6.888), jitter(0.953) sla_map=0x0
Seq(2 port2): state(alive), packet-loss(0.000%) latency(6.805), jitter(0.830) sla_map=0x0

Rule members and hit count

To verify the active members and hit count of the SD-WAN rule in the GUI:
  1. Go to Network > SD-WAN Rules.

    The interface that is currently selected by the rule has a checkmark next to its name in the Members column. Hover the cursor over the checkmark to open a tooltip that gives the reason why that member is selected. If multiple members are selected, only the highest ranked member is highlighted (unless the mode is Maximize Bandwidth (SLA)).

To verify the active members and hit count of the SD-WAN rule in the CLI:
# diagnose sys sdwan service 
 
Service(3): Address Mode(IPV4) flags=0x0
  Gen(13), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members: 
    1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
    2: Seq_num(2 port2), alive, sla(0x1), cfg_order(1), cost(0), selected
    3: Seq_num(3 port3), alive, sla(0x1), cfg_order(2), cost(20), selected
  Internet Service: Dropbox(4294836727,0,0,0 17459) Google.Docs(4294836992,0,0,0 16541) Microsoft.Office.365(4294837472,0,0,0 33182) Microsoft.Office.Online(4294837475,0,0,0 16177) SIP(4294837918,0,0,0 34640) 
  Src address: 
	0.0.0.0-255.255.255.255
 
Service(4): Address Mode(IPV4) flags=0x0
  Gen(211), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(NonBusinessCritical_HC)
  Members: 
    1: Seq_num(1 port1), alive, latency: 5.712, selected
    2: Seq_num(2 port2), alive, latency: 5.511, selected
  Internet Service: Facebook(4294836806,0,0,0 15832) YouTube(4294838537,0,0,0 31077) 
  Src address: 
	0.0.0.0-255.255.255.255

Applications and sessions

To verify sessions in FortiView:
  1. Go to a dashboard and add the Top Cloud Applications by Bytes widget. See Cloud application view for details.
  2. Drill down on an application, such as YouTube, then select the Sessions tab.

To verify applications identified by Application Control in SD-WAN:
# diagnose sys sdwan internet-service-app-ctrl-list

Facebook(15832 4294836697): 31.13.67.20 6 443 Fri April 17 22:33:39 2020
Facebook(15832 4294836697): 31.13.67.35 6 443 Fri April 17 22:33:41 2020
Facebook(15832 4294836697): 31.13.70.36 6 443 Fri April 17 22:36:41 2020
Facebook(15832 4294836697): 157.240.11.22 6 443 Fri April 17 22:36:42 2020
Facebook(15832 4294836697): 157.240.11.35 6 443 Fri April 17 22:36:41 2020
YouTube(31077 4294838227): 172.217.24.150 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 172.217.25.78 6 443 Fri April 17 22:32:16 2020
YouTube(31077 4294838227): 216.58.220.129 6 443 Fri April 17 22:32:34 2020