Using the minimum quality SLA strategy
The minimum quality SLA strategy uses criteria that you configure to determine which SD-WAN links to use. The FortiGate follows SD-WAN rules to route traffic through the SD-WAN interfaces that meet the latency, jitter, and packet loss criteria that you configure in the SLA targets associated with the rules.
You can configure one or more SLA targets for each performance SLA. There are situations where you might want to create multiple SLA targets in one performance SLA. For example, you might want to do this if you’re in a branch office and use different applications that run on the same server at your company headquarters. You can create one performance SLA to perform the health check for the server, and then have different SLA targets for different applications, with strict rules for some applications and lenient rules for other applications. However, if applications are running on different servers, you should create different performance SLAs for each application so that health checks are performed on the server for each application. In this case, performance SLA only requires one SLA target for each application.
Configuring the minimum quality SLA strategy – GUI
You configure minimum quality SLA by performing the following tasks:
1. Configure SLA targets.
2. Configure SD-WAN rules to use SLA targets.
Configure SLA targets – GUI
- Go to Network > Performance SLA.
- Select the performance SLA that you want to use and select Edit.
You configure performance SLAs when you configure link health monitoring. See Configuring link health monitoring for more information.
- In the SLA Targets section, select + to add one or more targets. Specify one or more of the following SLA criteria for each target:
GUI option | Description | Additional configuration steps |
---|---|---|
Latency threshold | The maximum amount of latency that’s acceptable on the interface. |
|
Jitter threshold | The maximum amount of jitter that’s acceptable on the interface. |
|
Packet loss threshold | The maximum percentage of packet loss that’s acceptable on the interface. |
|
- Select OK.
Configure SD-WAN rules to use SLA targets – GUI
- Go to Network > SD-WAN Rules.
- Select Create New.
- In the Name field, enter a name for the rule.
- In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
GUI option | Description | Additional configuration steps |
---|---|---|
Source address | Match traffic based on source IP address. |
|
User group | Match traffic based on users and user groups. |
|
- In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
GUI option | Description | Additional configuration steps |
---|---|---|
Address |
Match traffic based on destination IP address, destination port number, and type of service (ToS). If you configure this option, you can’t configure Internet Service or Application options. |
|
Internet Service |
Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups. If you configure this option, you can’t configure the destination Address options. |
|
Application |
Match traffic based on applications and application control groups. If you configure this option, you can’t configure the destination Address options. |
|
- In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
GUI option | Description | Additional configuration steps |
---|---|---|
Strategy | The strategy that you want the SD-WAN rules to use. | Select Minimum Quality (SLA). |
Interface preference |
One or more interfaces, in order of priority, that you want the FortiGate to use. If you select more than one interface, the FortiGate evaluates the links from the top down. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality link. If at any time, the current link doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link, and so on. If none of the links meet the SLA criteria, the FortiGate uses the preferred link, which is the first link in the configuration, regardless of its performance. The FortiGate continually checks the links to see if any of them meet the SLA criteria. |
|
Required SLA target |
The name of the SLA target that you want the FortiGate to use to measure the quality of the links. If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA. |
|
- Select OK.
- Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the minimum quality SLA strategy – CLI
Configure SLA targets – CLI
config system virtual-wan-link
config health-check
edit <health_check_name>
config sla
edit <sla_id>
set link-cost-factor {latency | jitter | packet-loss}
set latency-threshold <milliseconds>
set jitter-threshold <milliseconds>
set packetloss-threshold <percentage>
next
end
next
end
end
Configure SD-WAN rules to use SLA targets – CLI
In the CLI, an SD-WAN rule is called a service.
config system virtual-wan-link
config service
edit <rule_id>
set name <rule_name>
set addr-mode {ipv4 | ipv6}
next
end
end
Configure the source parameters:
CLI option | Description | Additional configuration steps |
---|---|---|
set {src | src6} <address_list>
|
This is the same as the Source address option in the GUI. | None |
set groups <group_list>
|
This is the same as the User group option in the GUI. | None |
Configure the destination parameters:
CLI option | Description | Additional configuration steps |
---|---|---|
set {dst | dst6} <address_list>
|
This is the same as the Address option in the GUI. The address list or address group list. |
None |
set protocol <protocol_number>
|
This is the same as the Protocol number option in the GUI. |
If you set a specific protocol, you might also need to set additional values, such as: set start-port <port_number set end-port <port_number> set tos <bit_pattern> set tos-mask <evaluated_bits>
For more information, see the FortiOS CLI Reference. |
set internet-service enable
|
This is the same as the Internet Service and Application options in the GUI. |
If you enable the internet-service option, set any of these options: set internet-service-custom <name_list> set internet-service-custom-group <group_list> set internet-service-id <id_list> set internet-service-group <group_list> set internet-service-ctrl <id_list> set internet-service-ctrl-group <group_list>
For more information, see the FortiOS CLI Reference. |
Configure outgoing interface parameters:
CLI option | Description | Additional configuration steps |
---|---|---|
set mode sla
|
This is the same as the Strategy option in the GUI. |
None |
set priority-members <member_sequence_list>
|
This is the same as the Interface preference option in the GUI. |
None |
config sla
|
This is the same as the Required SLA target option in the GUI. |
Configure the SLA target settings: config sla edit <sla_target_name> set id <sla_id> next end |