Internet service and application control steering
An application, application group, or application category can be selected as an SD-WAN service rule destination criterion for IPv4 and IPv6 address modes.
To configure from the CLI:
config system sdwan config service edit <id> set internet-service enable set internet-service-app-ctrl <app id> [app id] set internet-service-app-ctrl-group <app group> [app group] set internet-service-app-ctrl-category <category id> [category id] next end end
To configure for IPv6 addressing mode from the CLI, enable addr-mode ipv6
:
config system sdwan config service edit <id> set addr-mode ipv6 next end end
To view the detected application category details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-list cat-id <cat-id>
.
This topic includes a GUI and CLI Example for application category and a CLI Example for IPv6.
Example for application category
In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.
To configure application categories as an SD-WAN rule destination in the GUI:
-
Enable the feature visibility:
-
Go to System > Feature Visibility.
-
In the Additional Features section, enable Application Detection Based SD-WAN.
-
Click Apply.
To enable GUI visibility of application detection based SD-WAN in the CLI:
config system global set gui-app-detection-sdwan enable end
-
-
Configure the SD-WAN members:
-
Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
-
Set the Interface to dmz, and set the Gateway to 172.16.208.2.
-
Click OK.
-
Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.
-
-
Configure the performance SLA (health check):
-
Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.
-
Configure the following settings:
Name
1
Protocol
DNS
Server
8.8.8.8
SLA Target
Enable
-
Click OK.
-
-
Configure the SD-WAN rule to use the video/audio and email application categories:
-
Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
-
In the Destination section, click the + in the Application field.
-
Click Category, and select Video/Audio and Email.
-
Configure the other settings as needed.
-
Click OK.
-
-
Configure the firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the following settings:
Incoming Interface
port5
Outgoing Interface
virtual-wan-link
Source
172.16.205.0
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
Application Control
g-default
SSL Inspection
certificate-inspection
-
Click OK.
-
To configure application categories as an SD-WAN rule destination in the CLI:
-
Configure the SD-WAN settings:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 next edit 2 set interface "vlan100" set gateway 172.16.206.2 next end config health-check edit "1" set server "8.8.8.8" set protocol dns set members 0 config sla edit 1 next end next end end
-
Configure the SD-WAN rule to use application categories 5 and 21:
config system sdwan config service edit 1 set name "1" set mode sla set src "172.16.205.0" set internet-service enable set internet-service-app-ctrl-category 5 21 config sla edit "1" set id 1 next end set priority-members 1 2 next end end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port5" set dstintf "virtual-wan-link" set action accept set srcaddr 172.16.205.0 set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" next end
To test the configuration:
-
Verify that the traffic is sent over dmz:
# diagnose firewall proute list list route policy info(vf=root): id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100) source(1): 172.16.205.0-172.16.205.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0) hit_count=469 last_used=2021-12-15 15:06:05
-
View some videos and emails on the PC, then verify the detected application details for each category:
# diagnose sys sdwan internet-service-app-ctrl-list cat-id 5 List App Ctrl Database Entry(IPv4) in Kernel: Max_App_Ctrl_Size=32768 Num_App_Ctrl_Entry=4 YouTube(31077 4294838537): IP=142.250.217.110 6 443 YouTube(31077 4294838537): IP= 173.194.152.89 6 443 YouTube(31077 4294838537): IP= 173.194.152.170 6 443 YouTube(31077 4294838537): IP= 209.52.146.205 6 443
# diagnose sys sdwan internet-service-app-ctrl-list cat-id 21 List App Ctrl Database Entry(IPv4) in Kernel: Max_App_Ctrl_Size=32768 Num_App_Ctrl_Entry=1 Gmail(15817 4294836957): IP=172.217.14.197 6 443
-
Verify that the captured email traffic is sent over dmz:
# diagnose sniffer packet any 'host 172.217.14.197' 4 interfaces=[any] filters=[host 172.217.14.197] 5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
-
Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
-
Verify that the traffic is now sent over vlan100:
# diagnose firewall proute list list route policy info(vf=root): id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz) source(1): 172.16.205.0-172.16.205.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0) hit_count=635 last_used=2021-12-15 15:55:43
# diagnose sniffer packet any 'host 172.217.14.197' 4 interfaces=[any] filters=[host 172.217.14.197] 304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565
Example for IPv6
In this example, SD-WAN is configured to use an IPv6 service rule to steer traffic from FGT_A to FGT_B based on the following application control options:
-
Application Telnet
-
An application group for ping
-
An application category that includes SSH
When the rule is matched, traffic is steered based on the lowest cost SLA strategy. In this example, vlan100 is the preferred interface, and traffic is routed to vlan100 on FGT_B.
To view the configuration:
-
View the SD-WAN configuration on FGT_A:
SD-WAN has four members in the default virtual-wan-link zone, each with an IPv4 and IPv6 gateway. The SD-WAN service rule includes
internet-service-app-ctrl 16091
for the Telnet,internet-service-app-ctrl-group "network-Ping"
for ping , andinternet-service-app-ctrl-category 15
for SSH applications.(sdwan) # show config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 set gateway6 2000:172:16:208::2 next edit 2 set interface "IPSec-1" next edit 3 set interface "agg1" set gateway 172.16.203.2 set gateway6 2000:172:16:203::2 next edit 4 set interface "vlan100" set gateway 172.16.206.2 set gateway6 2000:172:16:206::2 next end config health-check edit "1" set addr-mode ipv6 set server "2000::2:2:2:2" set members 0 config sla edit 1 next end next end config service edit 1 set name "1" set addr-mode ipv6 set mode sla set internet-service enable set internet-service-app-ctrl 16091 set internet-service-app-ctrl-group "network-Ping" set internet-service-app-ctrl-category 15 config sla edit "1" set id 1 next end set priority-members 4 1 2 3 next end end
-
View the default route for FGT_A:
config router static edit 5 set distance 1 set sdwan-zone "virtual-wan-link" next end
-
View the firewall policy for FGT_A:
The
utm-status
option is enabled to learn application 3T (3 tuple) information, and the default application profile ofg-default
is selected.config firewall policy edit 1 set uuid f09bddc4-def3-51ed-8517-0d8b6bc18f35 set srcintf "any" set dstintf "any" set action accept set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" next end
To verify the configuration:
-
On FGT_A, check the routing table:
The routing table has ECMP applied to default gateways for each SD-WAN member.
# get router info routing-table static Routing table for VRF=0 S* 0.0.0.0/0 [1/0] via 172.16.203.2, agg1, [1/0] [1/0] via 172.16.206.2, vlan100, [1/0] [1/0] via 172.16.208.2, dmz, [1/0] [1/0] via IPSec-1 tunnel 172.16.209.2, [1/0]
-
Check the SD-WAN service:
Based on the service rule, member 4 named vlan100 is preferred. Traffic must also match the highlighted internet services.
# diagnose system sdwan service Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut Tie break: cfg Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(4): 1: Seq_num(4 vlan100), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected 2: Seq_num(1 dmz), alive, sla(0x1), gid(0), cfg_order(1), local cost(0), selected 3: Seq_num(2 IPSec-1), alive, sla(0x1), gid(0), cfg_order(2), local cost(0), selected 4: Seq_num(3 agg1), alive, sla(0x1), gid(0), cfg_order(3), local cost(0), selected Internet Service(3): Telnet(4294837974,0,0,0,0 16091) IPv6.ICMP(4294837087,0,0,0,0 16321) Network.Service(0,15,0,0,0)
-
Initiate traffic for ping, Telnet, and SSH to FGT_B, then FGT_A will learn 3T information for these applications, and use the SD-WAN rule to route traffic for the applications to the preferred interface of vlan100.
-
Following is the sniffer traffic for ping application. The ping traffic flows out of DMZ before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4' 4 interfaces=[any] filters=[host 2000::2:0:0:4] 16.952138 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d] 16.954571 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 1 [flowlabel 0x5080d] 16.954920 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1 16.955086 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 1 17.953277 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d] 17.953455 dmz out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 2 [flowlabel 0x5080d] 17.953622 dmz in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2 17.953722 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 2 18.959823 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960005 vlan100 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960015 agg1 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960024 port4 out 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 3 [flowlabel 0x5080d] 18.960295 vlan100 in 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3 18.960449 port5 out 2000::2:0:0:4 -> 2000:172:16:205::100: icmp6: echo reply seq 3 19.983802 port5 in 2000:172:16:205::100 -> 2000::2:0:0:4: icmp6: echo request seq 4 [flowlabel 0x5080d]
-
Following is the sniffer traffic for Telnet application group. The Telnet traffic flows out of agg1 before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 23' 4 interfaces=[any] filters=[host 2000::2:0:0:4 and dst port 23] 4.096393 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] 4.096739 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] 4.096752 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: syn 2723132265 [flowlabel 0xd4e65] ......... 5.503679 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503894 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503907 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.503918 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: psh 2723132345 ack 544895389 [flowlabel 0xd4e65] 5.504641 port5 in 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504713 vlan100 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504721 agg1 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65] 5.504728 port4 out 2000:172:16:205::100.43128 -> 2000::2:0:0:4.23: ack 544895390 [flowlabel 0xd4e65]
-
Following is the sniffer traffic for SSH application category. The SSH traffic flows out of dmz before 3T information is recognized, then out from vlan100 after T3 traffic is recognized:
# diagnose sniffer packet any 'host 2000::2:0:0:4 and dst port 22' 4 interfaces=[any] filters=[host 2000::2:0:0:4 and dst port 22] 5.910752 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187 [flowlabel 0xf1403] 5.911002 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: syn 980547187 [flowlabel 0xf1403] 5.914550 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244 [flowlabel 0xf1403] 5.914651 dmz out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583860244 [flowlabel 0xf1403] ..... 8.116507 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116663 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116674 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.116685 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: psh 980549261 ack 583862554 [class 0x10] [flowlabel 0xf1403] 8.118135 port5 in 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118171 vlan100 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118179 agg1 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403] 8.118189 port4 out 2000:172:16:205::100.35146 -> 2000::2:0:0:4.22: ack 583862598 [class 0x10] [flowlabel 0xf1403]
-
-
View the IPv6 application control internet service ID list:
# diagnose system sdwan internet-service-app-ctrl6-list Telnet(16091 4294837974): 2000::2:0:0:4 6 23 Thu Apr 20 17:43:00 2023 IPv6.ICMP(16321 4294837087): 2000::2:0:0:4 58 0 Thu Apr 20 17:43:00 2023
-
View the IPv6 application control internet service ID list by category:
# diagnose system sdwan internet-service-app-ctrl6-category-list SSH(16060 4294837772): 2000::2:0:0:4 6 22 Thu Apr 20 17:43:00 2023