Technical Tip: SD-WAN application control traffic initially hits the less specific rule instead of the rule with application control
| Description | This article describes how in an SD-WAN rule, application control is configured to catch a specific application (e.g. '45553' Microsoft.Outlook.Office.365 in rule 1 below), which is followed by a less specific rule to catch other traffic (e.g dst 'all' in rule 2 below). |
| Scope | FortiGate. |
| Solution | In theory, traffic of application 'Microsoft.Outlook.Office.365' should follow rule 1. However, it is possible that in the traffic log, some traffic also matches the less specific rule 2 ('dst all').
This is because FortiGate needs to learn the application first. Applications must be identified by the IPS engine which implies:
Before the application is learned, it will follow rule 1. After the application has been learned (as configured in the firewall policy), SD-WAN can then recognize the application and use rule 1.
Before the application is learned, initial traffic may hit the less specific SD-WAN rule '2' instead of rule '1' (with application control).
config system sdwan config service edit 1 set name "rule-app-ctrl" set src "all" set internet-service enable set internet-service-app-ctrl 45553 <- Application 'Microsoft.Outlook.Office.365'. set priority-members 1 next edit 2 set name "rule-all" set mode priority set dst "all" set src "all" set health-check "Default_DNS" set priority-members 2 next end
config firewall policy edit 1 set name "firewall-rule-1" set srcintf "port2" set dstintf "virtual-wan-link" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "default" set logtraffic all set nat enable next end
The following command can be used to check the application control cache learned by SD-WAN.
diagnose sys sdwan internet-service-app-ctrl-list … Microsoft.Outlook.Office.365(45553 4294837323): 40.99.10.98 6 443 Tue Feb 22 11:50:55 2022
Application Control profile is required on the initial policy matched: This is especially relevant if the traffic would initially match a different SD-WAN zone before application detection. Ensure the original firewall policy the traffic would match also has Application Control enabled.
Consider the case where there are 2 default routes via 2 SD-WAN zones. In this example, all traffic should egress via wan1, except for Microsoft Outlook traffic which should use wan2. An SD-WAN rule is configured to with application steering to route this traffic via wan2.
Routing table for VRF=0 Known via "static", distance 1, metric 0, best * vrf 0 10.128.202.1, via wan1, origin 2 * vrf 0 192.168.4.99, via wan2, origin 2
config system sdwan config members edit 2 set interface "wan2" set zone "WAN2-Zone" set gateway 192.168.4.99 next edit 1 set interface "wan1" next end config service edit 2 set name "App-Steering" next edit 1 set name "Catch-all" next end end edit 1 set name "wan2-zone" set srcintf "internal1" set utm-status enable next edit 2 set name "wan1-zone" set srcintf "internal1" set utm-status enable next end
Since the first packet is routed via wan1 and matches a policy which does not have application-list, the SD-WAN rule 'App-Steering' cannot be triggered since the Microsoft.Outlook signature is never detected. With the configuration above, the application steering SD-WAN rule would never be applied, since traffic initially matches the catch-all SD-WAN rule and a firewall policy with no Application Control profile.
config firewall policy edit 2 set name "wan1-zone" set application-list "default" next end |