Fortinet black logo

New Features

Allow application category as an option for SD-WAN rule destination

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:745493
Download PDF

Allow application category as an option for SD-WAN rule destination

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.

config system sdwan
    config service
        edit <id>
            set internet-service enable
            set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> 
        next
    end
end

To view the detected application categories details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

Example

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination in the CLI:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
  4. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  5. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  6. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  7. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  8. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565
To configure application categories as an SD-WAN rule destination in the GUI:
Note

This functionality is available in FortiOS 7.2.1 and later. Prior to 7.2.1, individual applications can be selected in SD-WAN rules by default.

After upgrading to 7.2.1 or later, the GUI functionality is available if applications are already configured in SD-WAN rules prior to upgrading. Otherwise, by default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality, see step 1 in the following procedure.

  1. Enable the feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable Application Detection Based SD-WAN.

    3. Click Apply.

    Note

    To enable GUI visibility of application detection based SD-WAN in the CLI:

    config system global
        set gui-app-detection-sdwan enable
    end
  2. Configure the SD-WAN members:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set the Interface to dmz, and set the Gateway to 172.16.208.2.

    3. Click OK.

    4. Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.

  3. Configure the performance SLA (health check):

    1. Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.

    2. Configure the following settings:

      Name

      1

      Protocol

      DNS

      Server

      8.8.8.8

      SLA Target

      Enable

    3. Click OK.

  4. Configure the SD-WAN rule to use the video/audio and email application categories:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. In the Destination section, click the + in the Application field.

    3. Click Category, and select Video/Audio and Email.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Incoming Interface

      port5

      Outgoing Interface

      virtual-wan-link

      Source

      172.16.205.0

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      Application Control

      g-default

      SSL Inspection

      certificate-inspection

    3. Click OK.

Allow application category as an option for SD-WAN rule destination

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.

config system sdwan
    config service
        edit <id>
            set internet-service enable
            set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> 
        next
    end
end

To view the detected application categories details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

Example

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination in the CLI:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
  4. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  5. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  6. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  7. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  8. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565
To configure application categories as an SD-WAN rule destination in the GUI:
Note

This functionality is available in FortiOS 7.2.1 and later. Prior to 7.2.1, individual applications can be selected in SD-WAN rules by default.

After upgrading to 7.2.1 or later, the GUI functionality is available if applications are already configured in SD-WAN rules prior to upgrading. Otherwise, by default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality, see step 1 in the following procedure.

  1. Enable the feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable Application Detection Based SD-WAN.

    3. Click Apply.

    Note

    To enable GUI visibility of application detection based SD-WAN in the CLI:

    config system global
        set gui-app-detection-sdwan enable
    end
  2. Configure the SD-WAN members:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set the Interface to dmz, and set the Gateway to 172.16.208.2.

    3. Click OK.

    4. Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.

  3. Configure the performance SLA (health check):

    1. Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.

    2. Configure the following settings:

      Name

      1

      Protocol

      DNS

      Server

      8.8.8.8

      SLA Target

      Enable

    3. Click OK.

  4. Configure the SD-WAN rule to use the video/audio and email application categories:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. In the Destination section, click the + in the Application field.

    3. Click Category, and select Video/Audio and Email.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Incoming Interface

      port5

      Outgoing Interface

      virtual-wan-link

      Source

      172.16.205.0

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      Application Control

      g-default

      SSL Inspection

      certificate-inspection

    3. Click OK.