Recently a customer told me he would like to monitor and graph the values that his Fortigate Firewall was generating for his configured SLA Trackers. What are these SLA Trackers? I informed myself and found the following in a Fortigate Cookbook.
Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by sending probing signals through each link to a server, and then measuring the link quality based on latency, jitter, and packet loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is working again, the routes are then re-enabled. This prevents traffic being sent down broken links and thus lost.
In the example above:
A performance SLA is created so that, if one of the two links fails, its routes are removed and traffic is detoured to the other link.
Configuring such trackers will produce basically 3 values:
This data can be queried from the device using SNMP (on the Fortigate it’s SNMPv3) and using the following base OID: 18.104.22.168.4.1.12322.214.171.124.2.1
Starting from there you have to walk various trees to get the correct and complete data:
With this knowledge it was quite easy to write a small plugin to use with the Icinga 2 instance in our NetEye Server. You can download the code for the plugin here: check_snmp_fortigate_sla_tracker.pl
Now you just have to get the values you need for the SNMP connection to your firewall (protocols 1, 2c and 3 are supported), and then call it like this:
check_snmp_fortigate_sla_tracker.pl -H <myfirewallip> -C <myfirewallcommunity> -w 100,30,20 -c 500,100,60
The Warning and Critical parameters are a triple of latency, jitter, loss. Any reported values from any of the interfaces must be below these configured values in order to not trigger a warning/critical event.
Did you read this article because you’re knowledgeable about networking? Do you have the skills necessary to manage networks? We’re currently hiring for roles like this here at Würth Phoenix.