Troubleshooting Tip: SD-WAN rules with application steering are not working

The SD-WAN rules are configured with the application-based destinations, and the traffic matching these applications is not being routed through the intended SD-WAN rules.

To troubleshoot the issue of SD-WAN application-based routing, follow these steps:

In this example, the SD-WAN rule is configured with the destination set to a YouTube application. The corresponding firewall policy is configured in proxy-based inspection mode, with Application Control and Deep Packet Inspection (DPI) enabled.

Despite the configuration, traffic destined for the YouTube application does not match the SD-WAN rule and is routed via the default SD-WAN rule instead.

SD-WAN rule:

config system sdwan

    config service
        edit 2
            set name "youtube-internet"
            set src "all"
            set internet-service enable
            set internet-service-app-ctrl 31077 16420 17396 23397 25564 30201 31076 33104 38569 41598
            set priority-zone "internet"
            set gateway enable
            set default enable
        next

end

Firewall policy:

config firewall policy
    edit 19
        set name "YOUTUBE"
        set uuid 021b9638-c9a3-51f0-f8e0-e91f1e121f57
        set srcintf "port1"
        set dstintf "internet"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set application-list "default"
        set logtraffic all
        set nat enable
    next

end

Routing is already configured and functioning as expected. Traffic forward logs confirm that the application is correctly identified by Application Control.

Traffic destined for YouTube is not matching SD-WAN rule ID 2 and is instead matching a lower-priority SD-WAN rule.

By executing the command 'diagnose sys sdwan internet-service-app-ctrl-list', no learned application entries are displayed in the SD-WAN application control cache.

diagnose sys sdwan internet-service-app-ctrl-list
List App Ctrl Database Entry(IPv4) in Kernel:

As there are no learned app entries in the SD-WAN app-ctrl cache, traffic cannot match SD-WAN rules configured with application-based destinations. As a result, the traffic does not hit the intended SD-WAN rule.

This behavior is observed when the firewall policy is configured with proxy-based inspection. Changing the Firewall policy to Flow-based inspection, the SD-WAN app-ctrl learned application entries, and traffic hits the SD-WAN rule ID 2.  

The proxy IPS does not update the SD-WAN app-ctrl. To learn app entries in the SD-WAN app-ctrl cache, it needs to disable the proxy-inline-ips.

config ips settings
    set proxy-inline-ips disable
end

The proxy-inline-ips is a feature introduced in FortiOS v7.4.2 that allows HTTP/HTTPS traffic to be processed through the WAD instead of the IPS engine. This feature helps reduce the workload on the IPS engine by distributing the processing tasks, optimizing CPU usage, and balancing security and performance. It is enabled by default in FortiOS starting from version 7.4.2. For more information on Inline IPS, refer to the following FortiNet article:
Technical Tip: Proxy Inline Intrusion Prevention System feature in FortiOS

After making the above changes, the SD-WAN application ctrl list learned the entries, and the traffic will hit the expected SD-WAN rule:

This option, proxy-inline-ips disable, will be the default option in the future.