Dynamic application steering with lowest cost and best quality strategies
In this example, the SD-WAN has three members: two ISPs (DIA_1 and DIA_2) that are used for access to internet applications, and an MPLS link that is used exclusively as a backup for business critical applications.
Business applications, such as Office365, Google, Dropbox, and SIP, use the Lowest Cost (SLA) strategy to provide application steering, and traffic falls back to MPLS only if both ISP1 and ISP2 are down. Non-business applications, such as Facebook and Youtube, use the Best Quality strategy to choose between the ISPs.
To configure the SD-WAN members, static route, and firewall policy in the GUI:
- Add port1 (DIA_1), port2 (DIA_2), and port3 (MPLS) as SD-WAN members. Set the cost of DIA_1 and DIA_2 to 0, and MPLS to 20. See Configuring the SD-WAN interface for details.
- Configure a static route. See Adding a static route for details.
- Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the GUI:
- Go to Network > SD-WAN Rules, and click Create New.
- Set the name to BusinessCriticalApps.
This rule will steer your business critical traffic to the appropriate link based on the Lowest Cost (SLA).
- Set Source address to all.
- Under Destination, set Application to your required applications. In this example: Microsoft.Office.365, Microsoft.Office.Online, Google.Docs, Dropbox, and SIP.
- Under Outgoing Interfaces, select Lowest Cost (SLA).
The lowest cost is defined in the SD-WAN member interface settings (see Configuring the SD-WAN interface). The lowest possible cost is 0, which represents the most preferred link. In this example, DIA_1 and DIA_2 both have a cost of 0, while MPLS has a cost of 20 because it is used for backup.
- In Interface preference, add the interfaces in order of preference when the cost of the links is tied. In this example, DIA_1, DIA_2, then MPLS.
MPLS will always be chosen last, because it has the highest cost. DIA_1 and DIA_2 have the same cost, so an interface is selected based on their order in the Interface preference list.
- Set Required SLA target to ensure that only links that pass your SLA target are chosen in this SD-WAN rule:
- Click in the Required SLA target field.
- In the Select Entries pane, click Create. The New Performace SLA pane opens.
- Set Name to BusinessCritical_HC.
This health check is used for business critical applications in your SD-WAN rule.
- Leave Protocol set to Ping, and add up to two servers, such as office.com and google.com.
- Set Participants to Specify, and add all three interfaces: DIA_1, DIA_2, and MPLS.
- Enable SLA Target.
The attributes in your target determine the quality of your link. The SLA target of each link is compared when determining which link to use based on the lowest cost. Links that meet the SLA target are preferred over links that fail, and move to the next step of selection based on cost. If no links meet the SLA target, then they all move to the next step.
In this example, disable Latency threshold and Jitter threshold, and set Packet loss threshold to 1.
- Click OK.
- Select the new performance SLA to set it as the Required SLA target.
When multiple SLA targets are added, you can choose which target to use in the SD-WAN rule.
- Click OK to create the SD-WAN rule.
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the GUI:
- Go to Network > SD-WAN Rules, and click Create New.
- Set the name to NonBusinessCriticalApps.
This rule will steer your non-business critical traffic to the appropriate link based on the Best Quality. No SLA target must be met, as the best link is selected based on the configured quality criteria and interface preference order.
- Set Source address to all.
- Under Destination, set Application to your required applications. In this example: Facebook, and Youtube.
- Under Outgoing Interfaces, select Best Quality.
- In Interface preference, add the interfaces in order of preference.
By default, a more preferred link has an advantage of 10% over a less preferred link. For example, when latency is used, the preferred link’s calculated latency = real latency / (1+10%).
The preferred link advantage can be customized in the CLI when the mode is
priority
(Best Quality) orauto
:config system sdwan config service edit <id> set link-cost-threshold <integer> next end end
- Create and apply a new performance SLA profile:
- Click in the Measured SLA field.
- In the drop-down list, click Create. The New Performace SLA pane opens.
- Set Name to NonBusinessCritical_HC.
This health check is used for non-business critical applications in your SD-WAN rule.
- Leave Protocol set to Ping, and add up to two servers, such as youtube.com and facebook.com.
- Set Participants to Specify, and add the DIA_1 and DIA_2 interfaces. In this example, MPLS is not used for non-business critical applications.
- Leave SLA Target disabled.
- Click OK.
- Select the new performance SLA from the list to set it as the Measured SLA.
- Set Quality criteria as required. In this example, Latency is selected.
For bandwidth related criteria, such as Downstream, Upstream, and Bandwidth (bi-directional), the selection is based on available bandwidth. An estimated bandwidth should be configured on the interface to provide a baseline, maximum available bandwidth.
- Click OK to create the SD-WAN rule.
To configure the SD-WAN members, static route, and firewall policy in the CLI:
- Configure the interfaces:
config system interface edit "port1" set ip <class_ip&net_netmask> set alias "DIA_1" set role wan next edit "port2" set ip <class_ip&net_netmask> set alias "DIA_2" set role wan next edit "port3" set ip <class_ip&net_netmask> set alias "MPLS" set role wan next end
- Configure the SD-WAN members:
config system sdwan set status enable config members edit 1 set interface "port1" set gateway 172.16.20.2 next edit 2 set interface "port2" set gateway 172.17.80.2 next edit 3 set interface "port3" set gateway 10.100.20.2 set cost 20 next end end
If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.
- Configure a static route. See Adding a static route for details.
- Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
To configure the SD-WAN rule and performance SLA checks for business critical application in the CLI:
- Configure the BusinessCriticalApps_HC health-check:
config system sdwan config health-check edit "BusinessCriticalApps_HC" set server "office.com" "google.com" set members 1 2 3 config sla edit 1 set link-cost-factor packet-loss set packetloss-threshold 1 next end next end end
- Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
config system sdwan config service edit 1 set name "BusinessCriticalApps" set mode sla set src "all" set internet-service enable set internet-service-app-ctrl 17459 16541 33182 16177 34640 config sla edit "BusinessCriticalApps_HC" set id 1 next end set priority-members 1 2 3 next end end
To configure the SD-WAN rule and performance SLA checks for non-business critical application in the CLI:
- Configure the nonBusinessCriticalApps_HC health-check:
config system sdwan config health-check edit "NonBusinessCriticalApps_HC" set server "youtube.com" "facebook.com" set members 1 2 next end end
- Configure the BusinessCriticalApps service to use Lowest Cost (SLA):
config system sdwan config service edit 4 set name "NonBusinessCriticalApps" set mode priority set src "all" set internet-service enable set internet-service-app-ctrl 15832 31077 set health-check "NonBusinessCriticalApps_HC" set priority-members 1 2 next end end
Verification
Check the following GUI pages, and run the following CLI commands to confirm that your traffic is being steered by the SD-WAN rules.
Health checks
To verify the status of each of the health checks in the GUI:
- Go to Network > Performance SLA and select each of the health checks from the list.
To verify the status of each of the health checks in the CLI:
# diagnose sys sdwan health-check Health Check(BusinessCritical_HC): Seq(1 port1): state(alive), packet-loss(0.000%) latency(12.884), jitter(0.919) sla_map=0x1 Seq(2 port2): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.723) sla_map=0x1 Seq(3 port3): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.923) sla_map=0x1 Health Check(NonBusinessCritical_HC): Seq(1 port1): state(alive), packet-loss(0.000%) latency(6.888), jitter(0.953) sla_map=0x0 Seq(2 port2): state(alive), packet-loss(0.000%) latency(6.805), jitter(0.830) sla_map=0x0
Rule members and hit count
To verify the active members and hit count of the SD-WAN rule in the GUI:
- Go to Network > SD-WAN Rules.
The interface that is currently selected by the rule has a checkmark next to its name in the Members column. Hover the cursor over the checkmark to open a tooltip that gives the reason why that member is selected. If multiple members are selected, only the highest ranked member is highlighted (unless the mode is Maximize Bandwidth (SLA)).
To verify the active members and hit count of the SD-WAN rule in the CLI:
# diagnose sys sdwan service Service(3): Address Mode(IPV4) flags=0x0 Gen(13), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members: 1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected 2: Seq_num(2 port2), alive, sla(0x1), cfg_order(1), cost(0), selected 3: Seq_num(3 port3), alive, sla(0x1), cfg_order(2), cost(20), selected Internet Service: Dropbox(4294836727,0,0,0 17459) Google.Docs(4294836992,0,0,0 16541) Microsoft.Office.365(4294837472,0,0,0 33182) Microsoft.Office.Online(4294837475,0,0,0 16177) SIP(4294837918,0,0,0 34640) Src address: 0.0.0.0-255.255.255.255 Service(4): Address Mode(IPV4) flags=0x0 Gen(211), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(NonBusinessCritical_HC) Members: 1: Seq_num(1 port1), alive, latency: 5.712, selected 2: Seq_num(2 port2), alive, latency: 5.511, selected Internet Service: Facebook(4294836806,0,0,0 15832) YouTube(4294838537,0,0,0 31077) Src address: 0.0.0.0-255.255.255.255
Applications and sessions
To verify sessions in FortiView:
- Go to a dashboard and add the Top Cloud Applications by Bytes widget. See Cloud application view for details.
- Drill down on an application, such as YouTube, then select the Sessions tab.
To verify applications identified by Application Control in SD-WAN:
# diagnose sys sdwan internet-service-app-ctrl-list Facebook(15832 4294836697): 31.13.67.20 6 443 Fri April 17 22:33:39 2020 Facebook(15832 4294836697): 31.13.67.35 6 443 Fri April 17 22:33:41 2020 Facebook(15832 4294836697): 31.13.70.36 6 443 Fri April 17 22:36:41 2020 Facebook(15832 4294836697): 157.240.11.22 6 443 Fri April 17 22:36:42 2020 Facebook(15832 4294836697): 157.240.11.35 6 443 Fri April 17 22:36:41 2020 YouTube(31077 4294838227): 172.217.24.150 6 443 Fri April 17 22:32:16 2020 YouTube(31077 4294838227): 172.217.25.78 6 443 Fri April 17 22:32:16 2020 YouTube(31077 4294838227): 216.58.220.129 6 443 Fri April 17 22:32:34 2020