Fortinet black logo

Administration Guide

Use an application category as an SD-WAN rule destination

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.

config system sdwan
    config service
        edit <id>
            set internet-service enable
            set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> 
        next
    end
end

To view the detected application categories details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

Example

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
  4. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  5. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  6. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  7. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  8. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.

config system sdwan
    config service
        edit <id>
            set internet-service enable
            set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> 
        next
    end
end

To view the detected application categories details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

Example

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
  4. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  5. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  6. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  7. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  8. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565