Support IPv6 application based steering in SD-WAN
|
This information is also available in the FortiOS 7.4 Administration Guide: |
IPv6 based SD-WAN rules allow matching of applications and application categories. The following options are available with set addr-mode ipv6:
config system sdwan
config service
edit
set addr-mode ipv6
set internet-service enable
set internet-service-app-ctrl
set internet-service-app-ctrl-group
set internet-service-app-ctrl-category
next
end
end
Example
In this example, SD-WAN is configured to use an IPv6 service rule to steer traffic from FGT_A to FGT_B based on the following application control options:
- Application Telnet
- An application group for ping
- An application category that includes SSH
When the rule is matched, traffic is steered based on the lowest cost SLA strategy. In this example, vlan100 is the preferred interface, and traffic is routed to vlan100 on FGT_B.
To view the configuration:
-
View the SD-WAN configuration on FGT_A:
SD-WAN has four members in the default virtual-wan-link zone, each with an IPv4 and IPv6 gateway. The SD-WAN service rule includes
internet-service-app-ctrl 16091for the Telnet,internet-service-app-ctrl-group "network-Ping"for ping , andinternet-service-app-ctrl-category 15for SSH applications.(sdwan) # show config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 set gateway6 2000:172:16:208::2 next edit 2 set interface "IPSec-1" next edit 3 set interface "agg1" set gateway 172.16.203.2 set gateway6 2000:172:16:203::2 next edit 4 set interface "vlan100" set gateway 172.16.206.2 set gateway6 2000:172:16:206::2 next end config health-check edit "1" set addr-mode ipv6 set server "2000::2:2:2:2" set members 0 config sla edit 1 next end next end config service edit 1 set name "1" set addr-mode ipv6 set mode sla set internet-service enable set internet-service-app-ctrl 16091 set internet-service-app-ctrl-group "network-Ping" set internet-service-app-ctrl-category 15 config sla edit "1" set id 1 next end set priority-members 4 1 2 3 next end end -
View the default route for FGT_A:
config router static edit 5 set distance 1 set sdwan-zone "virtual-wan-link" next end -
View the firewall policy for FGT_A:
The
utm-statusoption is enabled to learn application 3T (3 tuple) information, and the default application profile ofg-defaultis selected.config firewall policy edit 1 set uuid f09bddc4-def3-51ed-8517-0d8b6bc18f35 set srcintf "any" set dstintf "any" set action accept set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" next end
To verify the configuration:
-
On FGT_A, check the routing table:
The routing table has ECMP applied to default gateways for each SD-WAN member.
# get router info routing-table static Routing table for VRF=0 S* 0.0.0.0/0 [1/0] via 172.16.203.2, agg1, [1/0] [1/0] via 172.16.206.2, vlan100, [1/0] [1/0] via 172.16.208.2, dmz, [1/0] [1/0] via IPSec-1 tunnel 172.16.209.2, [1/0] -
Check the SD-WAN service:
Based on the service rule, member 4 named vlan100 is preferred. Traffic must also match the highlighted internet services.
# diagnose system sdwan service Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut Tie break: cfg Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(4): 1: Seq_num(4 vlan100), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected 2: Seq_num(1 dmz), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected 3: Seq_num(2 IPSec-1), alive, sla(0x1), gid(0), cfg_order(2), local cost(0), selected 4: Seq_num(3 agg1), alive, sla(0x1), gid(0), cfg_order(3), local cost(0), selected Internet Service(3): Telnet(4294837974,0,0,0,0 16091) IPv6.ICMP(4294837087,0,0,0,0 16321) Network.Service(0,15,0,0,0) -
Initiate traffic for ping, Telnet, and SSH to FGT_B, then FGT_A will learn 3T information for these applications, and use the SD-WAN rule to route traffic for the applications to the preferred interface of vlan100.
-
Following is the sniffer traffic for ping application. The ping traffic flows out of DMZ before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4' 4 interfaces=[any] filters=[host 2000::2:0:0:4] 16.952138 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d] 16.954571 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d] 16.954920 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1 16.955086 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1 17.953277 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d] 17.953455 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d] 17.953622 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2 17.953722 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2 18.959823 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960005 vlan100 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960015 agg1 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960024 port4 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960295 vlan100 in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3 18.960449 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3 19.983802 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 4 [flowlabel 0x5080d]
-
Following is the sniffer traffic for Telnet application group. The Telnet traffic flows out of agg1 before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 23' 4 interfaces=[any] filters=[host 2000::2:0:0:4 and dst port 23] 4.096393 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] 4.096739 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] 4.096752 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] ......... 5.503679 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503894 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503907 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503918 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.504641 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504713 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504721 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504728 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65]
-
Following is the sniffer traffic for SSH application category. The SSH traffic flows out of dmz before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 22' 4 interfaces=[any] filters=[host 2000::2:0:0:4 and dst port 22] 5.910752 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187 [flowlabel 0xf1403] 5.911002 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187 [flowlabel 0xf1403] 5.914550 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244 [flowlabel 0xf1403] 5.914651 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244 [flowlabel 0xf1403] ..... 8.116507 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116663 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116674 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116685 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.118135 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118171 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118179 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118189 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403]
-
-
View the IPv6 application control internet service ID list:
# diagnose system sdwan internet-service-app-ctrl6-list Telnet(16091 4294837974): 2000::2:0:0:4 6 23 Thu Apr 20 17:43:00 2023 IPv6.ICMP(16321 4294837087): 2000::2:0:0:4 58 0 Thu Apr 20 17:43:00 2023
-
View the IPv6 application control internet service ID list by category:
# diagnose system sdwan internet-service-app-ctrl6-category-list SSH(16060 4294837772): 2000::2:0:0:4 6 22 Thu Apr 20 17:43:00 2023