Allow application category as an option for SD-WAN rule destination
An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.
config system sdwan config service edit <id> set internet-service enable set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> next end end
To view the detected application categories details based on category ID, use diagnose sys sdwan internet-service-app-ctrl-category-list <id>
.
Example
In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.
To configure application categories as an SD-WAN rule destination in the CLI:
- Configure the SD-WAN settings:
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "dmz" set gateway 172.16.208.2 next edit 2 set interface "vlan100" set gateway 172.16.206.2 next end config health-check edit "1" set server "8.8.8.8" set protocol dns set members 0 config sla edit 1 next end next end end
- Configure the SD-WAN rule to use application categories 5 and 21:
config system sdwan config service edit 1 set name "1" set mode sla set src "172.16.205.0" set internet-service enable set internet-service-app-ctrl-category 5 21 config sla edit "1" set id 1 next end set priority-members 1 2 next end end
- Configure the firewall policy:
config firewall policy edit 1 set srcintf "port5" set dstintf "virtual-wan-link" set action accept set srcaddr 172.16.205.0 set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "g-default" next end
- Verify that the traffic is sent over dmz:
# diagnose firewall proute list list route policy info(vf=root): id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz) oif=95(vlan100) source(1): 172.16.205.0-172.16.205.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0) hit_count=469 last_used=2021-12-15 15:06:05
- View some videos and emails on the PC, then verify the detected application details for each category:
# diagnose sys sdwan internet-service-app-ctrl-category-list 5 YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021 YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021 YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021 YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021
# diagnose sys sdwan internet-service-app-ctrl-category-list 21 Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021
- Verify that the captured email traffic is sent over dmz:
# diagnose sniffer packet any 'host 172.217.14.197' 4 interfaces=[any] filters=[host 172.217.14.197] 5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack 2277134591
- Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
- Verify that the traffic is now sent over vlan100:
# diagnose firewall proute list list route policy info(vf=root): id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95(vlan100) oif=5(dmz) source(1): 172.16.205.0-172.16.205.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0) hit_count=635 last_used=2021-12-15 15:55:43
# diagnose sniffer packet any 'host 172.217.14.197' 4 interfaces=[any] filters=[host 172.217.14.197] 304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack 2277139565
To configure application categories as an SD-WAN rule destination in the GUI:
This functionality is available in FortiOS 7.2.1 and later. Prior to 7.2.1, individual applications can be selected in SD-WAN rules by default. After upgrading to 7.2.1 or later, the GUI functionality is available if applications are already configured in SD-WAN rules prior to upgrading. Otherwise, by default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality, see step 1 in the following procedure. |
-
Enable the feature visibility:
-
Go to System > Feature Visibility.
-
In the Additional Features section, enable Application Detection Based SD-WAN.
-
Click Apply.
To enable GUI visibility of application detection based SD-WAN in the CLI:
config system global set gui-app-detection-sdwan enable end
-
-
Configure the SD-WAN members:
-
Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
-
Set the Interface to dmz, and set the Gateway to 172.16.208.2.
-
Click OK.
-
Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.
-
-
Configure the performance SLA (health check):
-
Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.
-
Configure the following settings:
Name
1
Protocol
DNS
Server
8.8.8.8
SLA Target
Enable
-
Click OK.
-
-
Configure the SD-WAN rule to use the video/audio and email application categories:
-
Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
-
In the Destination section, click the + in the Application field.
-
Click Category, and select Video/Audio and Email.
-
Configure the other settings as needed.
-
Click OK.
-
-
Configure the firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the following settings:
Incoming Interface
port5
Outgoing Interface
virtual-wan-link
Source
172.16.205.0
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
Application Control
g-default
SSL Inspection
certificate-inspection
-
Click OK.
-