FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 205286
Description This article describes that in SD-WAN rule application control is configured to catch specific application (e.g. '45553' Microsoft.Outlook.Office.365 in rule 1 below), which is followed by a less specific rule to catch other traffic (e.g dst 'all' in rule 2 below).

Supposedly traffic of application 'Microsoft.Outlook.Office.365' should follow rule 1.

But it may be possible traffic log also some traffic matches the less specific rule 2 (dst all').


This is because FortiGate needs to learn the application first before. Initiailly before the application is learned, it will follow rule 1.

After the application has been learned  (as configured in the firewall policy), SD-WAN can then recognize the application and uses rule 1.


Before the application is learned, initial traffic may hit the less specific SD-WAN rule '2' instead of rule '1' (with application control).




# config system sdwa

    # config servic

        edit 1

            set name "rule-app-ctrl"

            set src "all"

            set internet-service enable

            set internet-service-app-ctrl 45553  <- application “Microsoft.Outlook.Office.365”

            set priority-members 1


        edit 2

            set name "rule-all"

            set mode priority

            set dst "all"

            set src "all"

            set health-check "Default_DNS"

            set priority-members 2




# config firewall polic

    edit 1

        set name "firewall-rule-1"

        set uuid e0122044-88b4-51ec-618c-a22ff71f6b45

        set srcintf "port2"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set application-list "default"

        set logtraffic all

        set nat enable




Command below can be used to check the application control cache learned by SD-WAN.


FGT #  diagnose sys sdwan internet-service-app-ctrl-list

Microsoft.Outlook.Office.365(45553 4294837323): 6 443 Tue Feb 22 11:50:55 2022