FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kltam
Staff
Staff
Article Id 198515

Description

 

This article describes how to configure a source IP address for the Secure SDWAN Performance SLA feature.
For regular SD-WAN members that have an IP address configured, such as WAN interfaces, FortiOS will perform Performance SLA checking by using the interface’s IP address.


However, in secure SD-WAN, some VPN interfaces do not have an IP address configured or there is an IP address configured but the IP address is not allowed in the IPsec Phase2 selector, then the FortiOS will encounter an issue when performing SD-WAN Performance SLA checking for these VPN interfaces.

 

Scope

 

FortiGate.

Solution

 

By default, the VPN interface created in FortiOS does not have any IP address.
Besides, if the VPN interface is added to Secure SD-WAN members, then configured with Performance SLA to check the VPN tunnel status, the Performance SLA entry status is ‘down’ for the VPN interface, as below:

 

 
Therefore, set a source IP address for the VPN interface to allow FortiOS perform Performance SLA checking and validate the result, with CLI commands below:
 
Option 1:

 

config system sdwan
config members
    edit <ID>  <----- VPN Interface member ID.
        set source <IP address> <----- Interface IP which allowed in IPSec Phase2 and Policy.
end
 
Option 2:

 

config system sdwan
config health-check
    edit <name> 
<----- Health Check name.
        set source <IP address>
<----- source-IP to be used for the health check.
end
 
Option 2 is available starting with Forti OS version 7.2.0 as included here.
 
Result:
 
 

Note:

Before v6.4.1, instead of 'config system sdwan', 'config system virtual-wan-link' was used.

 

config system virtual-wan-link
config members
    edit <ID>  <----- VPN Interface member ID.
        set source <IP address> <----- Interface IP which allowed in IPSec Phase2 and Policy.
end