Technical Tip: How FortiGate matches traffic to application based SD-WAN rule
| Description | This article describes how FortiGate matches traffic to application based SD-WAN rule. |
| Scope | All FortiGate and firmware that support application based SD-WAN rules |
| Solution | Consider that SD-WAN rule 4 is configured for application PING to go out of wan2 BUT the traffic uses SD-WAN rule 1:
config system sdwan config service edit 4 set name "PING" set src "all" set internet-service enable set internet-service-app-ctrl 24466 <----- PING application. set priority-members 2 <----- Wan2. next edit 1 set name "Internet" set mode sla set dst "all" set src "all" config sla edit "Google" set id 1 next end set priority-members 2 1 next end
Below is the logic that FortiGate uses to match the traffic to application based SD-WAN rule.
diagnose firewall internet-service-custom list
diagnose sys sdwan internet-service-app-ctrl-list Ping(24466 4294837724): 4.2.2.2 1 0 Wed Aug 3 11:14:07 2022
The reason behind above logic is that 'internet service custom list' is locally statically configured and it should have a higher priority to match. 'Application control list' is locally dynamical list, it has the second priority and 'ISDB' is from FortiGuard remotely so it is last resort.
In this example, since PING is configured as custom internet service, FortiGate will not match the SD-WAN rule 4 which is configured to match application PING. To use SD-WAN rule 4, delete the custom internet service for PING.
For more information on application steering using SD-WAN, refer to Application steering using SD-WAN rules - FortiGate 7.2.0 administration guide. |