Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pgautam
Staff
Staff

Created on ‎08-28-2023 09:08 PM Edited on ‎08-29-2023 11:32 PM By Community Manager

Article Id 270819

Technical Tip: Application learning phases in SD-WAN application steering traffic

Description This article will describe how the application signature will be learned in the SD-WAN application steering.
Scope FortiGate, SD-WAN, Application Steering. 
Solution
When an application steering is performed with SD-WAN, FortiGate must first identify the application on the traffic before it can match the right rule.
 
To accelerate application steering, FortiGate maintains an ISDB application cache. 
Each entry in the cache table maps a 3-tuple- destination IP, protocol, and destination port.
 
This cache is used by FortiGate to quickly identify the application of new sessions based on the following premise.
 
When FortiGate receives the first packet of a session, it proceeds as follows:-
  1. Check if the 3-tuple on the packet matches an entry in the ISDB application cache. If so, FortiGate routes the packet based on the matching SD-WAN rule and then performs a firewall policy lookup. If the packet does not match an entry in the cache FortiGate performs route and firewall policy lookup for the packet
  2. After the firewall policy lookup, FortiGate must identify the application. This applied to sessions that match an entry in the cache. The packet is sent to the IPS engine for application detection. After the application is detected, FortiGate adds the session 3-tuple to the cache, writes the application info to the session, and flags the session as dirty (SNAT conditions apply).
 
The dirty flag triggers a session re-evaluation, and therefore, new route and firewall policy lookups on the next packet.
If the application is not detected, FortiGate attempts to detect the application on the next packet.
 
 
It is possible to use the below links to configure the application-based SD-WAN rule:
Before 7.2.x application option was available in the SD-WAN policy and after 7.2.x first GUI app detection feature needed to be enabled:
 
config system global
    set gui-app-detection-sdwan enable
end
 
 
Example:
GoToMeeting traffic needs to be sent from one of the SD-WAN members port1:
 
config system sdwan
    set status enable
    set load-balance-mode weight-based
 
    config zone
        edit "virtual-wan-link"
        next
    end
 
    config members
        edit 1
            set interface "port1"
            set gateway 10.5.31.254
            set weight 50
        next
        edit 5
            set interface "port6"
            set weight 50
        next
    end
edit "test_sla"
            set server "8.8.8.8"
            set members 1 5
        next
    end
 
    config service
        edit 2
            set name "Application_steering"
            set src "all"
            set internet-service enable
            set internet-service-app-ctrl 16354 17573
            set priority-members 1
        next
end
 
When traffic is not initiated, the cache list is blank:
 
Lab_FGT# diagnose sys sdwan internet-service-app-ctrl-list
Lab_FGT# 
 
After traffic is matched as per the policy and the application is detected:
 
Lab_FGT(8) # show
config firewall policy
    edit 8
        set name "application_steering"
        set uuid f04c4690-31cf-51ee-0923-1179aaf0814e
        set srcintf "port4"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set application-list "default"
        set logtraffic all
        set nat enable
    next
end
 
Lab_FGT# dia sys sdwan internet-service-app-ctrl-list
 
GoToMeeting(16354 4294836966): 18.161.111.39 6 443 Mon Aug 28 21:17:36 2023
GoToMeeting(16354 4294836966): 18.161.111.59 6 443 Mon Aug 28 21:19:11 2023
GoToMeeting(16354 4294836966): 18.161.111.68 6 443 Mon Aug 28 20:58:17 2023
GoToMeeting(16354 4294836966): 34.198.75.68 6 443 Mon Aug 28 21:18:36 2023
GoToMeeting(16354 4294836966): 34.206.239.52 6 443 Mon Aug 28 21:19:36 2023
GoToMeeting(16354 4294836966): 52.40.83.126 6 443 Mon Aug 28 21:16:03 2023
GoToMeeting(16354 4294836966): 52.200.153.10 6 443 Mon Aug 28 20:58:05 2023
GoToMeeting(16354 4294836966): 52.205.189.0 6 443 Mon Aug 28 21:17:28 2023
GoToMeeting(16354 4294836966): 52.222.144.46 6 443 Mon Aug 28 21:15:54 2023
GoToMeeting(16354 4294836966): 52.222.144.71 6 443 Mon Aug 28 20:57:55 2023
GoToMeeting(16354 4294836966): 54.230.112.74 6 443 Mon Aug 28 21:16:55 2023
GoToMeeting(16354 4294836966): 54.230.112.105 6 443 Mon Aug 28 20:58:22 2023
GoToMeeting(16354 4294836966): 54.230.112.113 6 443 Mon Aug 28 21:16:54 2023
GoToMeeting(16354 4294836966): 96.16.248.27 6 443 Mon Aug 28 20:58:19 2023
GoToMeeting(16354 4294836966): 150.136.248.95 6 443 Mon Aug 28 20:58:22 2023
 
graviton-kvm01 # diagnose  sys sdwan service 2
 
Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
  Members(1):
    1: Seq_num(1 port1), alive, selected
  Internet Service(2): GoToMeeting(4294836966,0,0,0,0 16354) Bugzilla(4294836533,0,0,0,0 17573)
  Src address(1):
        0.0.0.0-255.255.255.255
 
session info: proto=6 proto_state=11 duration=18 expire=3592 timeout=3600 flags=00000000 socktype=0 sockport=443 av_idx=9 us
e=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=redir log local may_dirty nlb f00 app_valid
statistic(bytes/packets/allow_err): org=2593/18/1 reply=8769/19/1 tuples=3
tx speed(Bps/kbps): 61/0 rx speed(Bps/kbps): 390/3
orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=10.5.31.254/0.0.0.0
hook=post dir=org act=snat 10.201.15.72:63143->96.16.248.27:443(10.5.20.11:63143)
hook=pre dir=reply act=dnat 96.16.248.27:443->10.5.20.11:63143(10.201.15.72:63143)
hook=post dir=reply act=noop 96.16.248.27:443->10.201.15.72:63143(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 pol_uuid_idx=15771 auth_info=0 chk_client_info=0 vd=0
serial=02140202 tos=40/40 app_list=2000 app=16354 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=2 
rpdb_link_id=ff000002 ngfwid=n/a
npu_state=0x001108
no_ofld_reason:  redir-to-av
 
app=16354 <----- Matched application ID from the cache list.
sdwan_service_id=2<----- SD-WAN rule ID.
sdwan_mbr_seq=1 <----- SD-WAN member ID.
 
 
 
Note:
Packets are always sent to the IPS for application detection. This way, FortiGate can later match the correct rule for the session if the detected application happens to be different from the one matched in the cache.
That is, during the learning phase, a session may not match the expected rule and member
 
Related documents:
1160
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.