FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Article Id 193537

Description
This article describes how to use 'probe-packets disable' in the SLA Performance in SD-WAN.

Solution
It is possible to disable the 'probe-packet' for a specific SLA Performance (health-check) of the SD-WAN, the scope of disabling the probe is for debug only and should not be use in a normal status.

It is possible de disable it from GUI.


 
 
Or from CLI.
# config system sdwan
# config health-check

    edit "Default_FortiGuard"
        set probe-packets disable
    next
end
Even if disabled the Fortigate will keep sending out traffic and checking the response but the result will be ignored.
# diagnose sys sdwan health-check
Health Check(Default_DNS):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(26.810), jitter(5.809) sla_map=0x1
Seq(2 port3): state(alive), packet-loss(0.000%) latency(26.774), jitter(5.733) sla_map=0x1
Health Check(Default_FortiGuard):
Seq(1 port1): state(alive), packet-loss(3.333%) latency(153.036), jitter(0.460) sla_map=0x1
Seq(2 port3): state(alive), packet-loss(6.667%) latency(157.907), jitter(10.215) sla_map=0x0
NOTE.
Rebooting the unit while 'probe-packets' is disable could trigger an unknown status of the 'health-check' and it could affect the routing table if 'update-static-route' is enabled

The correct procedure to do not use the probe is to unset the member.
 
From GUI.
 
 
 
# config system sdwan
# config health-check

    edit "Default_FortiGuard
        unset members
    next
end
Result.
 
 





Contributors