Passive health-check measurement by internet service and application
Active probing relies on checking the performance metrics of underlying infrastructure using layer 3 probes (ping) and layer 4 probes (tcp-echo, http, dns, and others) to provide limited information about an application's true performance.
Passive WAN health measurement uses passive probing to provide more realistic application performance information by collecting the performance metrics (jitter, latency, and packet loss) of live traffic that is passing through the firewall policies. See Passive WAN health measurement.
Different applications can have different performance on the same WAN link, depending on the application's implementation. Passive measurement can be used to measure the performance of different internet services/applications that use the same WAN link.
The following is required:
-
Firewall policy configuration:
-
Enable passive WAN health measurement (
set passive-wan-health-measurement enable
). -
Disable hardware offloading (
set auto-asic-offload disable
). -
Use an application control security profile to identify applications.
-
-
SD-WAN rule configuration:
-
Use passive or prefer passive performance SLA.
-
Use ISDB/application signatures or ISDB/application signature groups to identify applications.
-
Enable passive measurement (
set passive-measurement enable
).
-
If internet services or applications are defined in an SD-WAN rule with passive or prefer passive performance SLA , SLA information for each service or application will be differentiated and collected. SLA metrics (jitter, latency, and packet loss) on each SD-WAN member in the rule are then calculated based on the relevant internet service's or application's SLA information.
In this example, three SD-WAN rules are created:
-
Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.
-
Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.
-
Rule 3: Best quality (latency) using passive SLA for all other traffic.
After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the applications Netflix and YouTube.
To configure the SD-WAN:
-
Configure the SD-WAN members:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 next edit 2 set interface "port15" set gateway 172.16.209.2 next end end
-
Configure the passive mode health check:
config health-check edit "Passive_HC" set detect-mode passive set members 1 2 next end
-
Configure SD-WAN service rules:
config service edit 1 set name "1" set mode priority set src "172.16.205.0" set internet-service enable set internet-service-name "Alibaba-Web" "Amazon-Web" set health-check "Passive_HC" set priority-members 1 2 set passive-measurement enable //Enable "passive application measurement", it is a new command which is introduced in this project. next edit 2 set name "2" set mode priority set src "172.16.205.0" set internet-service enable set internet-service-app-ctrl 18155 31077 set health-check "Passive_HC" set priority-members 1 2 set passive-measurement enable ////Enable "passive application measurement" next edit 3 set name "3" set mode priority set dst "all" set src "172.16.205.0" set health-check "Passive_HC" set priority-members 1 2 next end
-
Configure SD-WAN routes:
config router static edit 1 set distance 1 set sdwan-zone "virtual-wan-link" next end
-
Configure the firewall policy with passive WAN health measurement enabled:
config firewall policy edit 1 set uuid 972345c6-1595-51ec-66c5-d705d266f712 set srcintf "port5" set dstintf "virtual-wan-link" set action accept set srcaddr "172.16.205.0" set dstaddr "all" set schedule "always" set service "ALL" set passive-wan-health-measurement enable set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" set auto-asic-offload disable next end
To verify the results:
-
On the PC, open the browser and visit the internet services and applications.
-
On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN members was measured individually:
# diagnose sys link-monitor-passive admin list by-interface Interface dmz (5): Default(0x00000000): latency=3080.0 11:57:54, jitter=5.0 11:58:08, pktloss=0.0 % NA Alibaba-Web(0x00690001): latency=30.0 11:30:06, jitter=25.0 11:29:13, pktloss=0.0 % NA YouTube(0x00007965): latency=100.0 12:00:35, jitter=2.5 12:00:30, pktloss=0.0 % NA Netflix(0x000046eb): latency=10.0 11:31:24, jitter=10.0 11:30:30, pktloss=0.0 % NA Amazon-Web(0x00060001): latency=80.0 11:31:52, jitter=35.0 11:32:07, pktloss=0.0 % NA Interface port15 (27): Default(0x00000000): latency=100.0 12:00:42, jitter=0.0 12:00:42, pktloss=0.0 % NA Amazon-Web(0x00060001): latency=30.0 11:56:05, jitter=0.0 11:55:21, pktloss=0.0 % NA Alibaba-Web(0x00690001): latency=0.0 11:26:08, jitter=35.0 11:27:08, pktloss=0.0 % NA YouTube(0x00007965): latency=100.0 11:33:34, jitter=0.0 11:33:50, pktloss=0.0 % NA Netflix(0x000046eb): latency=0.0 11:26:29, jitter=0.0 11:29:03, pktloss=0.0 % NA
The
Default(0x00000000)
applications are other, unidentified applications that do not have ISDB or application signatures configured in SD-WAN rules. The latency of default/application is taken into account in per SD-WAN rule calculations only ifpassive‑measurement
is disabled in any one of the SD-WAN rules. -
Verify that the SLA metrics on the members are calculated as expected:
# diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(2 port15), alive, latency: 15.000, selected // Average latency of "Alibaba-Web" and "Amazon-Web" on port15: 15.000 = (0.0+30.0)/2 2: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency of "Alibaba-Web" and "Amazon-Web" on dmz: 55.000 = (30.0+80.0)/2 Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0) Src address(1): 172.16.205.0-172.16.205.255 Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency of "Netflix" and "YouTube" on dmz: 55.000 = (10.0+100.0)/2 2: Seq_num(2 port15), alive, latency: 50.000, selected // Average latency of "Netflix" and "YouTube" on port15: 50.000 = (0.0+100.0)/2 Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077) Src address(1): 172.16.205.0-172.16.205.255 Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-cost-threshold(10), heath-check(Passive_HC) Members(2): 1: Seq_num(2 port15), alive, latency: 46.000, selected // Average latency of all TCP traffic on port15: 46 = (100.0+30.0+0.0+100.0+0.0)/5 2: Seq_num(1 dmz), alive, latency: 660.000, selected // Average latency of all TCP traffic on dmz: 660 = (3080.0+30.0+100.0+10.0+80.0)/5 Src address(1): 172.16.205.0-172.16.205.255 Dst address(1): 0.0.0.0-255.255.255.255
The latency on each member interface per SD-WAN rule is the average of the latency of the application identified by respective SD-WAN rules. The SLA metrics listed for each member interface per SD-WAN rule shown by the Until the applications are identified, their SLA metrics are not used to calculate SLA metrics for each member per SD-WAN rule. Applications are identified only when there is (or was) any application traffic passing through a member interface. |