What's the difference between active and passive monitoring in FortiGate performance SLAs?
Exploring a couple popular topics in for FortiGate link state monitoring.
FortiGates have a feature called "Performance SLAs". These are basically tests that help the firewall monitor the health of interfaces/ports/circuits. The data that's collected provides insight into overall jitter, latency, and packet loss. That might sound trivial, but these details matter – it's hugely important when the needs to make decisions for SD-WAN packet forwarding, etc.
Here's the thing though: there are two different types of monitoring: active and passive. Which one is the best fit for a situation? Here's a quick breakdown:
- Active monitoring involves the FortiGate proactively sending probe packets of a specified protocol towards a defined destination server. The firewall then measures the performance metrics of for those recurring tests (latency, jitter, packet loss).
- Passive Monitoring examines existing session information to glean details. It's looking at the actual user traffic flowing through the interfaces instead of the artificial tests that the firewall is submitting.
Each of these approaches have trade-offs. Active monitoring would provide the benefit of constant measurement because the firewall would always be generating its own test traffic at consistent intervals (regardless of user activity). That traffic though, would be artificial in nature and not necessarily the same as authentic "real world" user activity. On the flip-side, passive monitoring is based on traffic data produced by users. As such, it would be the most authentic but it's reliance on user data means that there could mean delayed detection. It also means that there could be limited historical data available due to gaps.
So which method should admins choose? That's mostly up to customer choice BUT it's also worth noting that there's a potential compromise: "Prefer Passive" mode. This is an alternative monitoring choice that tells the FortiGate to use passive data when available. If there's no user traffic though, the FortiGate can switch to sending probes (active mode) to ensure continuous monitoring.
For more info, check out these resources:
