|
Consider that SD-WAN rule 4 is configured for application PING to go out of wan2 BUT the traffic uses SD-WAN rule 1:
# config service
edit 4
set name "PING"
set src "all"
set internet-service enable
set internet-service-app-ctrl 24466 <----- PING application.
set priority-members 2 <----- Wan2.
next
edit 1
set name "Internet"
set mode sla
set dst "all"
set src "all"
config sla
edit "Google"
set id 1
next
end
set priority-members 2 1
next
end
Below is the logic that FortiGate uses to match the traffic to application based SD-WAN rule.
1) FortiGate will check the internet service custom list.
# di firewall internet-service-custom list
List internet service in kernel(custom):
name=Ping id=4294901763 reputation=3 Unverified site. singularity=0 flags=0x0 protocol=1
addr ip mask=(1): 0.0.0.0/0.0.0.0
2) If application is not in the internet service custom list. FortiGate checks application control list:
# di sys sdwan internet-service-app-ctrl-list
Ping(24466 4294837724): 4.2.2.2 1 0 Wed Aug 3 11:14:07 2022
3) If application is not in the output of above command, FortiGate checks the internet service database.
The reason behind above logic is that 'internet service custom list' is locally statically configured and it should have a higher priority to match. 'Application control list' is locally dynamical list, it has the second priority and 'ISDB' is from FortiGuard remotely so it is last resort.
In this example, since PING is configured as custom internet service, FortiGate will not match the SD-WAN rule 4 which is configured to match application PING.
To use SD-WAN rule 4, delete the custom internet service for PING.
For more information on application steering using SD-WAN, refer below link:
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/125874/application-steering-...
|
