Fields for identifying traffic
This topic describes the fields in an SD-WAN rule used for defining the traffic to which the rule applies. Some fields are available only in the CLI.
SD-WAN rules can identify traffic by source address, destination address, service, and individual or user group matches. SD-WAN rules can also identify traffic by application control (application-aware routing), internet service database (ISDB), BGP route tags, and Differentiated Services Code Point (DSCP) tags.
In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for editing. The Source and Destination sections are used to identify traffic for the rule:
In the CLI, edit the service definition ID number to identify traffic for the rule:
config system sdwan config service edit <ID> <CLI commands from the following tables> ... end end
The following table describes the fields used for the name, ID, and IP version of the SD-WAN rule:
Name, ID, and IP version |
||
---|---|---|
Field |
CLI |
Description |
Name |
|
The name does not need to relate to the traffic being matched, but it is good practice to have intuitive rule names. |
ID | config system sdwan config service edit <ID> next end end |
ID is generated when the rule is created. You can only specify the ID from the CLI. |
IP version |
|
The addressing mode can be IPv4 or IPv6. To configure in the GUI, IPv6 must be enabled from System > Feature Visibility page. |
The following table describes the fields used for source section of the SD-WAN rule:
Source |
||
---|---|---|
Field |
CLI |
Description |
Source address |
May be negated from the CLI with |
One or more address objects. |
User group |
|
Individual users or user groups |
Source interface ( |
May be negated with |
CLI only. Select one or more source interfaces. |
The following table describes the fields used for the destination section of the SD-WAN rule:
Destination |
||
---|---|---|
Field |
CLI |
Description |
Address |
Use |
One or more address objects. One protocol and one port range can be combined with the address object. If it is necessary for an SD-WAN rule to match multiple protocols or multiple port ranges, you can create a custom Internet Service. |
Internet Service |
|
One or more internet services or service groups. This applies only to IPv4 rules, and cannot be used in conjunction with an address object. |
Application |
|
One or more applications or application groups. This applies only to IPv4 rules, and cannot be used in conjunction with an address object. May be used with internet services or service group. |
Route tag ( |
|
CLI only. This replaces the |
TOS mask ( |
|
CLI only. In order to leverage type of service (TOS) matching or DSCP matching on the IP header, the SD-WAN rule must specify the bit mask of the byte holding the TOS value. For example, a TOS mask of 0xe0 (11100000) matches the upper 3 bits. |
TOS ( |
|
CLI only. The value specified here is matched after the For example, the FortiGate receives DSCP values 110000 and 111011. (DSCP is the upper 6 bits of the TOS field – 11000000 and 11101100 respectively). Using the TOS value 0xe0 (11100000), only the second DSCP value is matched. |