Fortinet white logo
Fortinet white logo

Administration Guide

Passive health-check measurement by internet service and application

Passive health-check measurement by internet service and application

Active probing relies on checking the performance metrics of underlying infrastructure using layer 3 probes (ping) and layer 4 probes (tcp-echo, http, dns, and others) to provide limited information about an application's true performance.

Passive WAN health measurement uses passive probing to provide more realistic application performance information by collecting the performance metrics (jitter, latency, and packet loss) of live traffic that is passing through the firewall policies. See Passive WAN health measurement.

Different applications can have different performance on the same WAN link, depending on the application's implementation. Passive measurement can be used to measure the performance of different internet services/applications that use the same WAN link.

The following is required:

  1. Firewall policy configuration:

    • Enable passive WAN health measurement (set passive-wan-health-measurement enable).

    • Disable hardware offloading (set auto-asic-offload disable).

    • Use an application control security profile to identify applications.

  2. SD-WAN rule configuration:

    • Use passive or prefer passive performance SLA.

    • Use ISDB/application signatures or ISDB/application signature groups to identify applications.

    • Enable passive measurement (set passive-measurement enable).

If internet services or applications are defined in an SD-WAN rule with passive or prefer passive performance SLA , SLA information for each service or application will be differentiated and collected. SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.

In this example, three SD-WAN rules are created:

  • Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.

  • Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.

  • Rule 3: Best quality (latency) using passive SLA for all other traffic.

After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.

To configure the SD-WAN:
  1. Configure the SD-WAN members:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "port15"
                set gateway 172.16.209.2
            next
        end
    end
  2. Configure the passive mode health check:

    config health-check
        edit "Passive_HC"
            set detect-mode passive
            set members 1 2
        next
    end
  3. Configure SD-WAN service rules:

    config service
        edit 1
            set name "1"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-name "Alibaba-Web" "Amazon-Web"
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    //Enable "passive application measurement", it is a new command which is introduced in this project.
        next
        edit 2
            set name "2"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 18155 31077
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    ////Enable "passive application measurement"
        next
        edit 3
            set name "3"
            set mode priority
            set dst "all"
            set src "172.16.205.0"
            set health-check "Passive_HC"
            set priority-members 1 2
        next
    end
  4. Configure SD-WAN routes:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  5. Configure the firewall policy with passive WAN health measurement enabled:

    config firewall policy
        edit 1
            set uuid 972345c6-1595-51ec-66c5-d705d266f712
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "172.16.205.0"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set passive-wan-health-measurement enable
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
            set auto-asic-offload disable
        next
    end
To verify the results:
  1. On the PC, open the browser and visit the internet services and applications.

  2. On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:

    # diagnose sys link-monitor-passive admin list by-interface
    
    Interface dmz (5):
           Default(0x00000000): latency=3080.0  11:57:54, jitter=5.0     11:58:08, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=30.0    11:30:06, jitter=25.0    11:29:13, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   12:00:35, jitter=2.5     12:00:30, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=10.0    11:31:24, jitter=10.0    11:30:30, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=80.0    11:31:52, jitter=35.0    11:32:07, pktloss=0.0  % NA
    
    Interface port15 (27):
           Default(0x00000000): latency=100.0   12:00:42, jitter=0.0     12:00:42, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=30.0    11:56:05, jitter=0.0     11:55:21, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=0.0     11:26:08, jitter=35.0    11:27:08, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   11:33:34, jitter=0.0     11:33:50, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=0.0     11:26:29, jitter=0.0     11:29:03, pktloss=0.0  % NA
    Note

    The Default(0x00000000) applications are other, unidentified applications that do not have ISDB or application signatures configured in SD-WAN rules. The latency of default/application is taken into account in per SD-WAN rule calculations only if passive‑measurement is disabled in any one of the SD-WAN rules.

  3. Verify that the SLA metrics on the members are calculated as expected:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 15.000, selected           // Average latency of "Alibaba-Web" and "Amazon-Web" on port15:     15.000 = (0.0+30.0)/2
        2: Seq_num(1 dmz), alive, latency: 55.000, selected              // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz:         55.000 = (30.0+80.0)/2
      Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(1 dmz), alive, latency: 55.000, selected               // Average latency of "Netflix" and "YouTube" on dmz:        55.000 = (10.0+100.0)/2
        2: Seq_num(2 port15), alive, latency: 50.000, selected           // Average latency of "Netflix" and "YouTube" on port15:     50.000 = (0.0+100.0)/2 
      Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 46.000, selected          // Average latency of all TCP traffic on port15:       46   = (100.0+30.0+0.0+100.0+0.0)/5
        2: Seq_num(1 dmz), alive, latency: 660.000, selected           // Average latency of all TCP traffic on dmz:           660 = (3080.0+30.0+100.0+10.0+80.0)/5
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255
Note

The latency on each member interface per SD-WAN rule is the average of the latency of the application identified by respective SD-WAN rules.

The SLA metrics listed for each member interface per SD-WAN rule shown by the diagnose sys sdwan service command are derived from the output of the SLA information for the applications shown in the output of the diagnose sys link‑monitor‑passive admin list by‑interface command.

Until the applications are identified, their SLA metrics are not used to calculate SLA metrics for each member per SD-WAN rule. Applications are identified only when there is (or was) any application traffic passing through a member interface.

Passive health-check measurement by internet service and application

Passive health-check measurement by internet service and application

Active probing relies on checking the performance metrics of underlying infrastructure using layer 3 probes (ping) and layer 4 probes (tcp-echo, http, dns, and others) to provide limited information about an application's true performance.

Passive WAN health measurement uses passive probing to provide more realistic application performance information by collecting the performance metrics (jitter, latency, and packet loss) of live traffic that is passing through the firewall policies. See Passive WAN health measurement.

Different applications can have different performance on the same WAN link, depending on the application's implementation. Passive measurement can be used to measure the performance of different internet services/applications that use the same WAN link.

The following is required:

  1. Firewall policy configuration:

    • Enable passive WAN health measurement (set passive-wan-health-measurement enable).

    • Disable hardware offloading (set auto-asic-offload disable).

    • Use an application control security profile to identify applications.

  2. SD-WAN rule configuration:

    • Use passive or prefer passive performance SLA.

    • Use ISDB/application signatures or ISDB/application signature groups to identify applications.

    • Enable passive measurement (set passive-measurement enable).

If internet services or applications are defined in an SD-WAN rule with passive or prefer passive performance SLA , SLA information for each service or application will be differentiated and collected. SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.

In this example, three SD-WAN rules are created:

  • Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.

  • Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.

  • Rule 3: Best quality (latency) using passive SLA for all other traffic.

After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.

To configure the SD-WAN:
  1. Configure the SD-WAN members:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "port15"
                set gateway 172.16.209.2
            next
        end
    end
  2. Configure the passive mode health check:

    config health-check
        edit "Passive_HC"
            set detect-mode passive
            set members 1 2
        next
    end
  3. Configure SD-WAN service rules:

    config service
        edit 1
            set name "1"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-name "Alibaba-Web" "Amazon-Web"
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    //Enable "passive application measurement", it is a new command which is introduced in this project.
        next
        edit 2
            set name "2"
            set mode priority
            set src "172.16.205.0"
            set internet-service enable
            set internet-service-app-ctrl 18155 31077
            set health-check "Passive_HC"
            set priority-members 1 2
            set passive-measurement enable    ////Enable "passive application measurement"
        next
        edit 3
            set name "3"
            set mode priority
            set dst "all"
            set src "172.16.205.0"
            set health-check "Passive_HC"
            set priority-members 1 2
        next
    end
  4. Configure SD-WAN routes:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  5. Configure the firewall policy with passive WAN health measurement enabled:

    config firewall policy
        edit 1
            set uuid 972345c6-1595-51ec-66c5-d705d266f712
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "172.16.205.0"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set passive-wan-health-measurement enable
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
            set auto-asic-offload disable
        next
    end
To verify the results:
  1. On the PC, open the browser and visit the internet services and applications.

  2. On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:

    # diagnose sys link-monitor-passive admin list by-interface
    
    Interface dmz (5):
           Default(0x00000000): latency=3080.0  11:57:54, jitter=5.0     11:58:08, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=30.0    11:30:06, jitter=25.0    11:29:13, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   12:00:35, jitter=2.5     12:00:30, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=10.0    11:31:24, jitter=10.0    11:30:30, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=80.0    11:31:52, jitter=35.0    11:32:07, pktloss=0.0  % NA
    
    Interface port15 (27):
           Default(0x00000000): latency=100.0   12:00:42, jitter=0.0     12:00:42, pktloss=0.0  % NA
        Amazon-Web(0x00060001): latency=30.0    11:56:05, jitter=0.0     11:55:21, pktloss=0.0  % NA
       Alibaba-Web(0x00690001): latency=0.0     11:26:08, jitter=35.0    11:27:08, pktloss=0.0  % NA
           YouTube(0x00007965): latency=100.0   11:33:34, jitter=0.0     11:33:50, pktloss=0.0  % NA
           Netflix(0x000046eb): latency=0.0     11:26:29, jitter=0.0     11:29:03, pktloss=0.0  % NA
    Note

    The Default(0x00000000) applications are other, unidentified applications that do not have ISDB or application signatures configured in SD-WAN rules. The latency of default/application is taken into account in per SD-WAN rule calculations only if passive‑measurement is disabled in any one of the SD-WAN rules.

  3. Verify that the SLA metrics on the members are calculated as expected:

    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 15.000, selected           // Average latency of "Alibaba-Web" and "Amazon-Web" on port15:     15.000 = (0.0+30.0)/2
        2: Seq_num(1 dmz), alive, latency: 55.000, selected              // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz:         55.000 = (30.0+80.0)/2
      Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(1 dmz), alive, latency: 55.000, selected               // Average latency of "Netflix" and "YouTube" on dmz:        55.000 = (10.0+100.0)/2
        2: Seq_num(2 port15), alive, latency: 50.000, selected           // Average latency of "Netflix" and "YouTube" on port15:     50.000 = (0.0+100.0)/2 
      Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077)
      Src address(1):
            172.16.205.0-172.16.205.255
    
    Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC)
      Members(2):
        1: Seq_num(2 port15), alive, latency: 46.000, selected          // Average latency of all TCP traffic on port15:       46   = (100.0+30.0+0.0+100.0+0.0)/5
        2: Seq_num(1 dmz), alive, latency: 660.000, selected           // Average latency of all TCP traffic on dmz:           660 = (3080.0+30.0+100.0+10.0+80.0)/5
      Src address(1):
            172.16.205.0-172.16.205.255
    
      Dst address(1):
            0.0.0.0-255.255.255.255
Note

The latency on each member interface per SD-WAN rule is the average of the latency of the application identified by respective SD-WAN rules.

The SLA metrics listed for each member interface per SD-WAN rule shown by the diagnose sys sdwan service command are derived from the output of the SLA information for the applications shown in the output of the diagnose sys link‑monitor‑passive admin list by‑interface command.

Until the applications are identified, their SLA metrics are not used to calculate SLA metrics for each member per SD-WAN rule. Applications are identified only when there is (or was) any application traffic passing through a member interface.