Using the minimum quality SLA strategy

The minimum quality SLA strategy uses criteria that you configure to determine which SD-WAN links to use. The FortiGate follows SD-WAN rules to route traffic through the SD-WAN interfaces that meet the latency, jitter, and packet loss criteria that you configure in the SLA targets associated with the rules.

You can configure one or more SLA targets for each performance SLA. There are situations where you might want to create multiple SLA targets in one performance SLA. For example, you might want to do this if you’re in a branch office and use different applications that run on the same server at your company headquarters. You can create one performance SLA to perform the health check for the server, and then have different SLA targets for different applications, with strict rules for some applications and lenient rules for other applications. However, if applications are running on different servers, you should create different performance SLAs for each application so that health checks are performed on the server for each application. In this case, performance SLA only requires one SLA target for each application.

Configuring the minimum quality SLA strategy – GUI

You configure minimum quality SLA by performing the following tasks:

1. Configure SLA targets.

2. Configure SD-WAN rules to use SLA targets.

Configure SLA targets – GUI
  1. Go to Network > Performance SLA.
  2. Select the performance SLA that you want to use and select Edit.

You configure performance SLAs when you configure link health monitoring. See Configuring link health monitoring for more information.

  1. In the SLA Targets section, select + to add one or more targets. Specify one or more of the following SLA criteria for each target:
GUI option Description Additional configuration steps
Latency threshold The maximum amount of latency that’s acceptable on the interface.
  1. Enable this threshold.
  2. Set a latency threshold (in ms).
Jitter threshold The maximum amount of jitter that’s acceptable on the interface.
  1. Enable this threshold.
  2. Set a jitter threshold (in ms).
Packet loss threshold The maximum percentage of packet loss that’s acceptable on the interface.
  1. Enable this threshold.
  2. Set a packet loss threshold percentage.
  1. Select OK.
Configure SD-WAN rules to use SLA targets – GUI
  1. Go to Network > SD-WAN Rules.
  2. Select Create New.
  3. In the Name field, enter a name for the rule.
  4. In the Source section, set any of the following source parameters for matching incoming traffic from your organization’s internal network:
GUI option Description Additional configuration steps
Source address Match traffic based on source IP address.
  1. Select +.
  2. In the Select Entries window, select one or more source IP addresses. Select Close.
User group Match traffic based on users and user groups.
  1. Select +.
  2. In the Select Entries window, select one or more users and user groups. Select Close.
  1. In the Destination section, set any of the following destination parameters for matching incoming traffic from your organization’s internal network:
GUI option Description Additional configuration steps
Address

Match traffic based on destination IP address, destination port number, and type of service (ToS).

If you configure this option, you can’t configure Internet Service or Application options.

  1. Select +.
  2. In the Select Entries window, select one or more destination IP addresses. Select Close.
  3. In the Protocol number field, select TCP, UDP, ANY, or Specify.
  4. If you select TCP or UDP, specify a Port range.
  5. If you select Specify, specify a protocol number, a Type of service, and a Bit Mask.
Internet Service

Match traffic based on Internet Service Database (ISDB) address objects. You can configure Internet services and Internet service groups.

If you configure this option, you can’t configure the destination Address options.

  1. Select +.
  2. In the Select Entries window, select one or more Internet services or Internet service groups from the list.
  3. Select Close.
Application

Match traffic based on applications and application control groups.

If you configure this option, you can’t configure the destination Address options.

  1. Select +.
  2. In the Select Entries window, select one or more applications or application control groups.
  3. Select Close.
  1. In the Outgoing Interfaces section, configure the following criteria for choosing which SD-WAN member interface to route traffic through:
GUI option Description Additional configuration steps
Strategy The strategy that you want the SD-WAN rules to use. Select Minimum Quality (SLA).
Interface preference

One or more interfaces, in order of priority, that you want the FortiGate to use.

If you select more than one interface, the FortiGate evaluates the links from the top down. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality link.

If at any time, the current link doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link, and so on. If none of the links meet the SLA criteria, the FortiGate uses the preferred link, which is the first link in the configuration, regardless of its performance.

The FortiGate continually checks the links to see if any of them meet the SLA criteria.

  1. In the Interface preference field, select +.
  2. In the Select Entries window, select one or more interfaces. Select Close.
Required SLA target

The name of the SLA target that you want the FortiGate to use to measure the quality of the links.

If you haven’t yet configured a performance SLA that you want to use, you can also use this option to create a new performance SLA.

  1. In the Required SLA target field, select +.
  2. In the Select Entries window, select one or more SLA targets in the list, or select + to create a new performance SLA. Select Close.
  1. Select OK.
  2. Go to Network > SD-WAN Rules to see the SD-WAN rules. You can drag and drop the rules to reorder them.
Configure the minimum quality SLA strategy – CLI
Configure SLA targets – CLI

config system virtual-wan-link

config health-check

edit <health_check_name>

config sla

edit <sla_id>

set link-cost-factor {latency | jitter | packet-loss}

set latency-threshold <milliseconds>

set jitter-threshold <milliseconds>

set packetloss-threshold <percentage>

next

end

next

end

end

Configure SD-WAN rules to use SLA targets – CLI

In the CLI, an SD-WAN rule is called a service.

config system virtual-wan-link

config service

edit <rule_id>

set name <rule_name>

set addr-mode {ipv4 | ipv6}

next

end

end

 

Configure the source parameters:

CLI option Description Additional configuration steps
set {src | src6} <address_list> This is the same as the Source address option in the GUI. None
set groups <group_list> This is the same as the User group option in the GUI. None

Configure the destination parameters:

CLI option Description Additional configuration steps
set {dst | dst6} <address_list>

This is the same as the Address option in the GUI.

The address list or address group list.

None

set protocol <protocol_number> This is the same as the Protocol number option in the GUI.

If you set a specific protocol, you might also need to set additional values, such as:

set start-port <port_number

set end-port <port_number>

set tos <bit_pattern>

set tos-mask <evaluated_bits>

 

For more information, see the FortiOS CLI Reference.

set internet-service enable This is the same as the Internet Service and Application options in the GUI.

If you enable the internet-service option, set any of these options:

set internet-service-custom <name_list>

set internet-service-custom-group <group_list>

set internet-service-id <id_list>

set internet-service-group <group_list>

set internet-service-ctrl <id_list>

set internet-service-ctrl-group <group_list>

 

For more information, see the FortiOS CLI Reference.

Configure outgoing interface parameters:

CLI option Description Additional configuration steps
set mode sla This is the same as the Strategy option in the GUI.

None

set priority-members <member_sequence_list> This is the same as the Interface preference option in the GUI.

None

config sla This is the same as the Required SLA target option in the GUI.

Configure the SLA target settings:

config sla

edit <sla_target_name>

set id <sla_id>

next

end