Skip to main content
jcovarrubias
Staff
jcovarrubias
Staff
September 8, 2025

Technical Tip: Understanding SD‑WAN parent and child application classification behavior

  • September 8, 2025
  • 0 replies
  • 402 views
Description This article discusses the differences between parent and child signatures in SD-WAN application matching when using application groups and then outlines configuration strategies.
Scope FortiGate with SD-WAN.
Solution

Why SD‑WAN rules treat parent/child applications differently from Traffic Shaping:

 

Background:

 

Applications in App Control can be identified either at the parent or child level:

  • Parent application = the general category (e.g., Microsoft Teams).
  • Child application = specific sub‑traffic within that parent (e.g., Teams.Audio or Teams.Video).

This distinction matters because Traffic Shaping and SD‑WAN rules handle parent/child matches in different ways.

 

Example Application Hierarchy:

  • Microsoft Teams (Parent):
    • Microsoft Teams.Audio (Child).
    • Microsoft Teams.Video (Child).
    • Other Microsoft Teams traffic (broadcast, signalling, events, etc.)

Design Goal:

Apply the following policies:

  1. Teams.Audio -> Priority queue (low latency).
  2. Teams.Video -> Non‑priority queue, with reserved bandwidth.
  3. Other Teams traffic -> Best effort queue.

 

Traffic Shaping Behavior.

Traffic shapers can evaluate child apps separately:

  • Teams.Audio -> put in the priority queue.
  • Teams. Video -> put in non‑priority queue with bandwidth reservation.
  • Other Teams traffic (only matches the parent app) → goes to best effort.

Traffic Shaping keeps child‑level granularity even if the parent is also present in the ruleset.

 

SD‑WAN Rule Behavior:

 

SD‑WAN classification works differently:

  • If a rule references Microsoft Teams (parent), all Teams traffic matches this rule, and child rules below it are ignored.
  • The rule matching order is:
    1. Internet‑Service‑Custom
    2. Internet‑Service‑App‑Ctrl
    3. Internet Service Database  

When the parent (Microsoft Teams) is matched, SD‑WAN does not try to identify children afterward.

 

Config Example:

 

Rule 1 – Teams Audio.

  • Match: Microsoft Teams.Audio
  • Action: Priority path, priority queue

Rule 2 – Teams Video.

  • Match: Microsoft Teams.Video
  • Action: Secondary path, bandwidth guarantee

Rule 3 – Other Teams traffic.

  • Match: Microsoft Teams (Parent)
  • Action: Best effort path

 

Result of testing:

  • Teams.Audio -> correctly classified into Rule 1 (priority).
  • Teams. Video -> correctly classified into Rule 2 (non‑priority with reserved bandwidth).
  • Teams broadcast/other signalling -> caught only by Rule 3.
  • If Rule 3 is placed above Rule 1/2, then all Teams traffic hits Rule 3 and child rules are bypassed.

Key Takeaways:

  • Traffic Shaping can apply to parents and children simultaneously.
  • SD‑WAN rules stop at the first parent match: therefore, avoid referencing the parent app if more granular control is required.
  • Best practice: reference only the child applications needed in SD‑WAN, and keep the parent app separate for fallback/best effort rules.
    Terms & ConditionsAccessibility statement