Fortinet black logo

Administration Guide

Fields for identifying traffic

This topic describes the fields in an SD-WAN rule used for defining the traffic to which the rule applies. Some fields are available only in the CLI.

SD-WAN rules can identify traffic by a variety of means:

Address type

Source

Destination

IPv4/6

MAC

Group

FABRIC_DEVICE dynamic address

Users

User groups

Application control (application aware routing)

Internet service database (ISDB)

BGP route tags

Differentiated Services Code Point (DSCP) tags

In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for editing. The Source and Destination sections are used to identify traffic for the rule:

In the CLI, edit the service definition ID number to identify traffic for the rule:

config system sdwan
    config service
        edit <ID>
        <CLI commands from the following tables> 
        ...
    end
end

The following table describes the fields used for the name, ID, and IP version of the SD-WAN rule:

ID, Name, and IP version

Field

CLI

Description

ID

config system sdwan
    config service
        edit <ID>
        next 
    end
end

ID is generated when the rule is created. You can only specify the ID from the CLI.

Name

set name <string>

The name does not need to relate to the traffic being matched, but it is good practice to have intuitive rule names.

IP version

set addr-mode <ipv4 | ipv6>

The addressing mode can be IPv4 or IPv6.

To configure in the GUI, IPv6 must be enabled from System > Feature Visibility page.

The following table describes the fields used for source section of the SD-WAN rule:

Source

Field

CLI

Description

Source address

set src <object>

Can be negated from the CLI with set src-negate.

One or more address objects.

User group

set users <user object>

set groups <group object>

Individual users or user groups

Source interface (input-device)

set input-device <interface name>

Can be negated with set input-device-negate enable.

CLI only.

Select one or more source interfaces.

The following table describes the fields used for the destination section of the SD-WAN rule:

Destination

Field

CLI

Description

Address

set dst <object>

set protocol <integer>

set start-port <integer>

set end-port <integer>

Use set dst-negate enable to negate the address object.

One or more address objects.

One protocol and one port range can be combined with the address object.

If it is necessary for an SD-WAN rule to match multiple protocols or multiple port ranges, you can create a custom Internet Service.

Internet Service

set internet-service enable

set internet-service-custom <name_1> <name_2> ... <name_n>

set internet-service-custom-group <name_1> <name_2> ... <name_n>

set internet-service-name <name_1> <name_2> ... <name_n>

set internet-service-group <name_1> <name_2> ... <name_n>

One or more internet services or service groups.

Application

set internet-service-app-ctrl <id_1> <id_2> ... <id_n>

set internet-service-app-ctrl-group <name_1> <name_2> ... <name_n>

set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n>

One or more applications or application groups.

Can be used with internet services or service group.

Route tag (route-tag)

set route-tag <integer>

CLI only.

This replaces the dst field (if previously configured) and matches a BGP route tag configured in a route map. See Using BGP tags with SD-WAN rules.

TOS mask (tos-mask)

set tos-mask <8-bit hex value>

CLI only.

In order to leverage type of service (TOS) matching or DSCP matching on the IP header, the SD-WAN rule must specify the bit mask of the byte holding the TOS value. For example, a TOS mask of 0xe0 (11100000) matches the upper 3 bits.

TOS (tos)

set tos <8 bit hex value>

CLI only.

The value specified here is matched after the tos-mask is applied.

For example, the FortiGate receives DSCP values 110000 and 111011. (DSCP is the upper 6 bits of the TOS field – 11000000 and 11101100 respectively). Using the TOS value 0xe0 (11100000), only the second DSCP value is matched.

By default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality in the GUI, go to System > Feature Visibility and enable Application Detection Based SD-WAN. In the CLI, enter:

config system global
    set gui-app-detection-sdwan enable
end

This topic describes the fields in an SD-WAN rule used for defining the traffic to which the rule applies. Some fields are available only in the CLI.

SD-WAN rules can identify traffic by a variety of means:

Address type

Source

Destination

IPv4/6

MAC

Group

FABRIC_DEVICE dynamic address

Users

User groups

Application control (application aware routing)

Internet service database (ISDB)

BGP route tags

Differentiated Services Code Point (DSCP) tags

In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for editing. The Source and Destination sections are used to identify traffic for the rule:

In the CLI, edit the service definition ID number to identify traffic for the rule:

config system sdwan
    config service
        edit <ID>
        <CLI commands from the following tables> 
        ...
    end
end

The following table describes the fields used for the name, ID, and IP version of the SD-WAN rule:

ID, Name, and IP version

Field

CLI

Description

ID

config system sdwan
    config service
        edit <ID>
        next 
    end
end

ID is generated when the rule is created. You can only specify the ID from the CLI.

Name

set name <string>

The name does not need to relate to the traffic being matched, but it is good practice to have intuitive rule names.

IP version

set addr-mode <ipv4 | ipv6>

The addressing mode can be IPv4 or IPv6.

To configure in the GUI, IPv6 must be enabled from System > Feature Visibility page.

The following table describes the fields used for source section of the SD-WAN rule:

Source

Field

CLI

Description

Source address

set src <object>

Can be negated from the CLI with set src-negate.

One or more address objects.

User group

set users <user object>

set groups <group object>

Individual users or user groups

Source interface (input-device)

set input-device <interface name>

Can be negated with set input-device-negate enable.

CLI only.

Select one or more source interfaces.

The following table describes the fields used for the destination section of the SD-WAN rule:

Destination

Field

CLI

Description

Address

set dst <object>

set protocol <integer>

set start-port <integer>

set end-port <integer>

Use set dst-negate enable to negate the address object.

One or more address objects.

One protocol and one port range can be combined with the address object.

If it is necessary for an SD-WAN rule to match multiple protocols or multiple port ranges, you can create a custom Internet Service.

Internet Service

set internet-service enable

set internet-service-custom <name_1> <name_2> ... <name_n>

set internet-service-custom-group <name_1> <name_2> ... <name_n>

set internet-service-name <name_1> <name_2> ... <name_n>

set internet-service-group <name_1> <name_2> ... <name_n>

One or more internet services or service groups.

Application

set internet-service-app-ctrl <id_1> <id_2> ... <id_n>

set internet-service-app-ctrl-group <name_1> <name_2> ... <name_n>

set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n>

One or more applications or application groups.

Can be used with internet services or service group.

Route tag (route-tag)

set route-tag <integer>

CLI only.

This replaces the dst field (if previously configured) and matches a BGP route tag configured in a route map. See Using BGP tags with SD-WAN rules.

TOS mask (tos-mask)

set tos-mask <8-bit hex value>

CLI only.

In order to leverage type of service (TOS) matching or DSCP matching on the IP header, the SD-WAN rule must specify the bit mask of the byte holding the TOS value. For example, a TOS mask of 0xe0 (11100000) matches the upper 3 bits.

TOS (tos)

set tos <8 bit hex value>

CLI only.

The value specified here is matched after the tos-mask is applied.

For example, the FortiGate receives DSCP values 110000 and 111011. (DSCP is the upper 6 bits of the TOS field – 11000000 and 11101100 respectively). Using the TOS value 0xe0 (11100000), only the second DSCP value is matched.

By default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality in the GUI, go to System > Feature Visibility and enable Application Detection Based SD-WAN. In the CLI, enter:

config system global
    set gui-app-detection-sdwan enable
end