| Description | This article describes that in SD-WAN rule application control is configured to catch specific application (e.g. '45553' Microsoft.Outlook.Office.365 in rule 1 below), which is followed by a less specific rule to catch other traffic (e.g dst 'all' in rule 2 below). |
| Scope | |
| Solution |
Supposedly traffic of application 'Microsoft.Outlook.Office.365' should follow rule 1. But it may be possible traffic log also some traffic matches the less specific rule 2 (dst all').
This is because FortiGate needs to learn the application first before. Initiailly before the application is learned, it will follow rule 1. After the application has been learned (as configured in the firewall policy), SD-WAN can then recognize the application and uses rule 1.
Before the application is learned, initial traffic may hit the less specific SD-WAN rule '2' instead of rule '1' (with application control).
# config system sdwa … # config servic edit 1 set name "rule-app-ctrl" set src "all" set internet-service enable set internet-service-app-ctrl 45553 <- application “Microsoft.Outlook.Office.365” set priority-members 1 next edit 2 set name "rule-all" set mode priority set dst "all" set src "all" set health-check "Default_DNS" set priority-members 2 next end
# config firewall polic edit 1 set name "firewall-rule-1" set uuid e0122044-88b4-51ec-618c-a22ff71f6b45 set srcintf "port2" set dstintf "virtual-wan-link" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "default" set logtraffic all set nat enable next end
Command below can be used to check the application control cache learned by SD-WAN.
FGT # diagnose sys sdwan internet-service-app-ctrl-list … Microsoft.Outlook.Office.365(45553 4294837323): 40.99.10.98 6 443 Tue Feb 22 11:50:55 2022 |
