Fortinet white logo
Fortinet white logo

Administration Guide

Internet service and application control steering

Internet service and application control steering

An application, application group, or application category can be selected as an SD-WAN service rule destination criterion for IPv4 and IPv6 address modes.

To configure from the CLI:

config system sdwan
  config service
    edit <id>
      set internet-service enable
      set internet-service-app-ctrl <app id> [app id]   // basically can be one or more app IDs
      set internet-service-app-ctrl-group <app group> [app group]
      set internet-service-app-ctrl-category <category id> [category id]
    next 
  end 
end

To configure for IPv6 addressing mode from the CLI, enable addr-mode ipv6:

config system sdwan
  config service
    edit <id>
      set addr-mode ipv6
    next
  end
end

To view the detected application category details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

This topic includes a GUI and CLI Example for application category and a CLI Example for IPv6.

Example for application category

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination in the GUI:
  1. Enable the feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable Application Detection Based SD-WAN.

    3. Click Apply.

    Note

    To enable GUI visibility of application detection based SD-WAN in the CLI:

    config system global
        set gui-app-detection-sdwan enable
    end
  2. Configure the SD-WAN members:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set the Interface to dmz, and set the Gateway to 172.16.208.2.

    3. Click OK.

    4. Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.

  3. Configure the performance SLA (health check):

    1. Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.

    2. Configure the following settings:

      Name

      1

      Protocol

      DNS

      Server

      8.8.8.8

      SLA Target

      Enable

    3. Click OK.

  4. Configure the SD-WAN rule to use the video/audio and email application categories:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. In the Destination section, click the + in the Application field.

    3. Click Category, and select Video/Audio and Email.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Incoming Interface

      port5

      Outgoing Interface

      virtual-wan-link

      Source

      172.16.205.0

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      Application Control

      g-default

      SSL Inspection

      certificate-inspection

    3. Click OK.

To configure application categories as an SD-WAN rule destination in the CLI:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
To test the configuration:
  1. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  2. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  3. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  4. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  5. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565

Example for IPv6

In this example, SD-WAN is configured to use an IPv6 service rule to steer traffic from FGT_A to FGT_B based on the following application control options:

  • Application Telnet
  • An application group for ping
  • An application category that includes SSH

When the rule is matched, traffic is steered based on the lowest cost SLA strategy. In this example, vlan100 is the preferred interface, and traffic is routed to vlan100 on FGT_B.

To view the configuration:
  1. View the SD-WAN configuration on FGT_A:

    SD-WAN has four members in the default virtual-wan-link zone, each with an IPv4 and IPv6 gateway. The SD-WAN service rule includes internet-service-app-ctrl 16091 for the Telnet, internet-service-app-ctrl-group "network-Ping" for ping , and internet-service-app-ctrl-category 15 for SSH applications.

    (sdwan) # show
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
                set gateway6 2000:172:16:208::2
            next
            edit 2
                set interface "IPSec-1"
            next
            edit 3
                set interface "agg1"
                set gateway 172.16.203.2
                set gateway6 2000:172:16:203::2
            next
            edit 4
                set interface "vlan100"
                set gateway 172.16.206.2
                set gateway6 2000:172:16:206::2
            next
        end
        config health-check
            edit "1"
                set addr-mode ipv6
                set server "2000::2:2:2:2"
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
        config service
            edit 1
                set name "1"
                set addr-mode ipv6
                set mode sla
                set internet-service enable
                set internet-service-app-ctrl 16091
                set internet-service-app-ctrl-group "network-Ping"
                set internet-service-app-ctrl-category 15
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 4 1 2 3
            next
        end
    end
  2. View the default route for FGT_A:

    config router static
        edit 5
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  3. View the firewall policy for FGT_A:

    The utm-status option is enabled to learn application 3T (3 tuple) information, and the default application profile of g-default is selected.

    config firewall policy
        edit 1
            set uuid f09bddc4-def3-51ed-8517-0d8b6bc18f35
            set srcintf "any"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
To verify the configuration:
  1. On FGT_A, check the routing table:

    The routing table has ECMP applied to default gateways for each SD-WAN member.

    # get router info routing-table  static
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 172.16.203.2, agg1, [1/0]
                             [1/0] via 172.16.206.2, vlan100, [1/0]
                             [1/0] via 172.16.208.2, dmz, [1/0]
                             [1/0] via IPSec-1 tunnel 172.16.209.2, [1/0]
  2. Check the SD-WAN service:

    Based on the service rule, member 4 named vlan100 is preferred. Traffic must also match the highlighted internet services.

    # diagnose system sdwan service
    
    Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(4):
        1: Seq_num(4 vlan100), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected 
        2: Seq_num(1 dmz), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected
        3: Seq_num(2 IPSec-1), alive, sla(0x1), gid(0), cfg_order(2), local cost(0), selected
        4: Seq_num(3 agg1), alive, sla(0x1), gid(0), cfg_order(3), local cost(0), selected
      Internet Service(3): Telnet(4294837974,0,0,0,0 16091) IPv6.ICMP(4294837087,0,0,0,0 16321) Network.Service(0,15,0,0,0)
  3. Initiate traffic for ping, Telnet, and SSH to FGT_B, then FGT_A will learn 3T information for these applications, and use the SD-WAN rule to route traffic for the applications to the preferred interface of vlan100.

    • Following is the sniffer traffic for ping application. The ping traffic flows out of DMZ before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4' 4
      interfaces=[any]
      filters=[host 2000::2:0:0:4]
      16.952138 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d]
      16.954571 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d]
      16.954920 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1
      16.955086 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1
      17.953277 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d]
      17.953455 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d]
      17.953622 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2
      17.953722 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2
      18.959823 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960005 vlan100 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960015 agg1 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960024 port4 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960295 vlan100 in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3
      18.960449 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3
      19.983802 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 4 [flowlabel 0x5080d]
    • Following is the sniffer traffic for Telnet application group. The Telnet traffic flows out of agg1 before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 23' 4 
      interfaces=[any]
      filters=[host 2000::2:0:0:4 and dst port 23]
      4.096393 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]           
      4.096739 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]
      4.096752 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]
      .........
      5.503679 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503894 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503907 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503918 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.504641 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504713 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504721 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504728 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
    • Following is the sniffer traffic for SSH application category. The SSH traffic flows out of dmz before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 22' 4
      interfaces=[any]
      filters=[host 2000::2:0:0:4 and dst port 22]
      5.910752 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187  [flowlabel 0xf1403]
      5.911002 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187  [flowlabel 0xf1403]
      5.914550 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244  [flowlabel 0xf1403]
      5.914651 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244  [flowlabel 0xf1403]
      .....
      8.116507 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116663 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116674 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116685 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.118135 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118171 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118179 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118189 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
  4. View the IPv6 application control internet service ID list:

    # diagnose system sdwan internet-service-app-ctrl6-list
    
    Telnet(16091 4294837974): 2000::2:0:0:4 6 23 Thu Apr 20 17:43:00 2023
    IPv6.ICMP(16321 4294837087): 2000::2:0:0:4 58 0 Thu Apr 20 17:43:00 2023
  5. View the IPv6 application control internet service ID list by category:

    # diagnose system sdwan internet-service-app-ctrl6-category-list
    
    SSH(16060 4294837772): 2000::2:0:0:4 6 22 Thu Apr 20 17:43:00 2023

Internet service and application control steering

Internet service and application control steering

An application, application group, or application category can be selected as an SD-WAN service rule destination criterion for IPv4 and IPv6 address modes.

To configure from the CLI:

config system sdwan
  config service
    edit <id>
      set internet-service enable
      set internet-service-app-ctrl <app id> [app id]   // basically can be one or more app IDs
      set internet-service-app-ctrl-group <app group> [app group]
      set internet-service-app-ctrl-category <category id> [category id]
    next 
  end 
end

To configure for IPv6 addressing mode from the CLI, enable addr-mode ipv6:

config system sdwan
  config service
    edit <id>
      set addr-mode ipv6
    next
  end
end

To view the detected application category details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>.

This topic includes a GUI and CLI Example for application category and a CLI Example for IPv6.

Example for application category

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination in the GUI:
  1. Enable the feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable Application Detection Based SD-WAN.

    3. Click Apply.

    Note

    To enable GUI visibility of application detection based SD-WAN in the CLI:

    config system global
        set gui-app-detection-sdwan enable
    end
  2. Configure the SD-WAN members:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set the Interface to dmz, and set the Gateway to 172.16.208.2.

    3. Click OK.

    4. Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.

  3. Configure the performance SLA (health check):

    1. Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.

    2. Configure the following settings:

      Name

      1

      Protocol

      DNS

      Server

      8.8.8.8

      SLA Target

      Enable

    3. Click OK.

  4. Configure the SD-WAN rule to use the video/audio and email application categories:

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. In the Destination section, click the + in the Application field.

    3. Click Category, and select Video/Audio and Email.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Incoming Interface

      port5

      Outgoing Interface

      virtual-wan-link

      Source

      172.16.205.0

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      Application Control

      g-default

      SSL Inspection

      certificate-inspection

    3. Click OK.

To configure application categories as an SD-WAN rule destination in the CLI:
  1. Configure the SD-WAN settings:
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vlan100"
                set gateway 172.16.206.2
            next
        end
        config health-check
            edit "1"
                set server "8.8.8.8"
                set protocol dns
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
    end
  2. Configure the SD-WAN rule to use application categories 5 and 21:
    config system sdwan
        config service
            edit 1
                set name "1"
                set mode sla
                set src "172.16.205.0"
                set internet-service enable
                set internet-service-app-ctrl-category 5 21
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 1 2
            next
        end
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr 172.16.205.0
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
To test the configuration:
  1. Verify that the traffic is sent over dmz:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=469 last_used=2021-12-15 15:06:05
  2. View some videos and emails on the PC, then verify the detected application details for each category:
    # diagnose sys sdwan internet-service-app-ctrl-category-list 5
    YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
    YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
    YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
    YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
    # diagnose sys sdwan internet-service-app-ctrl-category-list 21
    Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
  3. Verify that the captured email traffic is sent over dmz:
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
  4. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
  5. Verify that the traffic is now sent over vlan100:
    # diagnose firewall proute list
    list route policy info(vf=root):
    id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz)
    source(1): 172.16.205.0-172.16.205.255
    destination wildcard(1): 0.0.0.0/0.0.0.0
    internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
    hit_count=635 last_used=2021-12-15 15:55:43
    # diagnose sniffer packet any 'host 172.217.14.197' 4
    interfaces=[any]
    filters=[host 172.217.14.197]
    304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565

Example for IPv6

In this example, SD-WAN is configured to use an IPv6 service rule to steer traffic from FGT_A to FGT_B based on the following application control options:

  • Application Telnet
  • An application group for ping
  • An application category that includes SSH

When the rule is matched, traffic is steered based on the lowest cost SLA strategy. In this example, vlan100 is the preferred interface, and traffic is routed to vlan100 on FGT_B.

To view the configuration:
  1. View the SD-WAN configuration on FGT_A:

    SD-WAN has four members in the default virtual-wan-link zone, each with an IPv4 and IPv6 gateway. The SD-WAN service rule includes internet-service-app-ctrl 16091 for the Telnet, internet-service-app-ctrl-group "network-Ping" for ping , and internet-service-app-ctrl-category 15 for SSH applications.

    (sdwan) # show
    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
                set gateway6 2000:172:16:208::2
            next
            edit 2
                set interface "IPSec-1"
            next
            edit 3
                set interface "agg1"
                set gateway 172.16.203.2
                set gateway6 2000:172:16:203::2
            next
            edit 4
                set interface "vlan100"
                set gateway 172.16.206.2
                set gateway6 2000:172:16:206::2
            next
        end
        config health-check
            edit "1"
                set addr-mode ipv6
                set server "2000::2:2:2:2"
                set members 0
                config sla
                    edit 1
                    next
                end
            next
        end
        config service
            edit 1
                set name "1"
                set addr-mode ipv6
                set mode sla
                set internet-service enable
                set internet-service-app-ctrl 16091
                set internet-service-app-ctrl-group "network-Ping"
                set internet-service-app-ctrl-category 15
                config sla
                    edit "1"
                        set id 1
                    next
                end
                set priority-members 4 1 2 3
            next
        end
    end
  2. View the default route for FGT_A:

    config router static
        edit 5
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
    end
  3. View the firewall policy for FGT_A:

    The utm-status option is enabled to learn application 3T (3 tuple) information, and the default application profile of g-default is selected.

    config firewall policy
        edit 1
            set uuid f09bddc4-def3-51ed-8517-0d8b6bc18f35
            set srcintf "any"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set application-list "g-default"
        next
    end
To verify the configuration:
  1. On FGT_A, check the routing table:

    The routing table has ECMP applied to default gateways for each SD-WAN member.

    # get router info routing-table  static
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 172.16.203.2, agg1, [1/0]
                             [1/0] via 172.16.206.2, vlan100, [1/0]
                             [1/0] via 172.16.208.2, dmz, [1/0]
                             [1/0] via IPSec-1 tunnel 172.16.209.2, [1/0]
  2. Check the SD-WAN service:

    Based on the service rule, member 4 named vlan100 is preferred. Traffic must also match the highlighted internet services.

    # diagnose system sdwan service
    
    Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut
     Tie break: cfg
      Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(4):
        1: Seq_num(4 vlan100), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected 
        2: Seq_num(1 dmz), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected
        3: Seq_num(2 IPSec-1), alive, sla(0x1), gid(0), cfg_order(2), local cost(0), selected
        4: Seq_num(3 agg1), alive, sla(0x1), gid(0), cfg_order(3), local cost(0), selected
      Internet Service(3): Telnet(4294837974,0,0,0,0 16091) IPv6.ICMP(4294837087,0,0,0,0 16321) Network.Service(0,15,0,0,0)
  3. Initiate traffic for ping, Telnet, and SSH to FGT_B, then FGT_A will learn 3T information for these applications, and use the SD-WAN rule to route traffic for the applications to the preferred interface of vlan100.

    • Following is the sniffer traffic for ping application. The ping traffic flows out of DMZ before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4' 4
      interfaces=[any]
      filters=[host 2000::2:0:0:4]
      16.952138 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d]
      16.954571 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d]
      16.954920 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1
      16.955086 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1
      17.953277 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d]
      17.953455 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d]
      17.953622 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2
      17.953722 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2
      18.959823 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960005 vlan100 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960015 agg1 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960024 port4 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d]
      18.960295 vlan100 in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3
      18.960449 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3
      19.983802 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 4 [flowlabel 0x5080d]
    • Following is the sniffer traffic for Telnet application group. The Telnet traffic flows out of agg1 before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 23' 4 
      interfaces=[any]
      filters=[host 2000::2:0:0:4 and dst port 23]
      4.096393 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]           
      4.096739 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]
      4.096752 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265  [flowlabel 0xd4e65]
      .........
      5.503679 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503894 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503907 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.503918 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389  [flowlabel 0xd4e65]
      5.504641 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504713 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504721 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
      5.504728 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390  [flowlabel 0xd4e65]
    • Following is the sniffer traffic for SSH application category. The SSH traffic flows out of dmz before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:

      # diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 22' 4
      interfaces=[any]
      filters=[host 2000::2:0:0:4 and dst port 22]
      5.910752 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187  [flowlabel 0xf1403]
      5.911002 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187  [flowlabel 0xf1403]
      5.914550 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244  [flowlabel 0xf1403]
      5.914651 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244  [flowlabel 0xf1403]
      .....
      8.116507 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116663 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116674 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.116685 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554  [class 0x10] [flowlabel 0xf1403]
      8.118135 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118171 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118179 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
      8.118189 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598  [class 0x10] [flowlabel 0xf1403]
  4. View the IPv6 application control internet service ID list:

    # diagnose system sdwan internet-service-app-ctrl6-list
    
    Telnet(16091 4294837974): 2000::2:0:0:4 6 23 Thu Apr 20 17:43:00 2023
    IPv6.ICMP(16321 4294837087): 2000::2:0:0:4 58 0 Thu Apr 20 17:43:00 2023
  5. View the IPv6 application control internet service ID list by category:

    # diagnose system sdwan internet-service-app-ctrl6-category-list
    
    SSH(16060 4294837772): 2000::2:0:0:4 6 22 Thu Apr 20 17:43:00 2023