Description |
This article describes how FortiGate matches traffic to application based SD-WAN rule. |
Scope |
All FortiGate and firmware that support application based SD-WAN rules |
Solution |
Consider that SD-WAN rule 4 is configured for application PING to go out of wan2 BUT the traffic uses SD-WAN rule 1:
# config service edit 4 set name "PING" set src "all" set internet-service enable set internet-service-app-ctrl 24466 <----- PING application. set priority-members 2 <----- Wan2. next edit 1 set name "Internet" set mode sla set dst "all" set src "all" config sla edit "Google" set id 1 next end set priority-members 2 1 next end
Below is the logic that FortiGate uses to match the traffic to application based SD-WAN rule.
1) FortiGate will check the internet service custom list.
# di firewall internet-service-custom list
2) If application is not in the internet service custom list. FortiGate checks application control list:
# di sys sdwan internet-service-app-ctrl-list Ping(24466 4294837724): 4.2.2.2 1 0 Wed Aug 3 11:14:07 2022
3) If application is not in the output of above command, FortiGate checks the internet service database.
The reason behind above logic is that 'internet service custom list' is locally statically configured and it should have a higher priority to match. 'Application control list' is locally dynamical list, it has the second priority and 'ISDB' is from FortiGuard remotely so it is last resort.
In this example, since PING is configured as custom internet service, FortiGate will not match the SD-WAN rule 4 which is configured to match application PING. To use SD-WAN rule 4, delete the custom internet service for PING.
For more information on application steering using SD-WAN, refer below link: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.