Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcovarrubias
Staff
Staff

Created on ‎09-08-2025 08:13 AM

Article Id 409051

Technical Tip: Understanding SD‑WAN parent and child application classification behavior

Description This article discusses the differences between parent and child signatures in SD-WAN application matching when using application groups and then outlines configuration strategies.
Scope FortiGate with SD-WAN.
Solution

Why SD‑WAN rules treat parent/child applications differently from Traffic Shaping:

 

Background:

 

Applications in App Control can be identified either at the parent or child level:

  • Parent application = the general category (e.g., Microsoft Teams).
  • Child application = specific sub‑traffic within that parent (e.g., Teams.Audio or Teams.Video).

This distinction matters because Traffic Shaping and SD‑WAN rules handle parent/child matches in different ways.

 

Example Application Hierarchy:

  • Microsoft Teams (Parent):
    • Microsoft Teams.Audio (Child).
    • Microsoft Teams.Video (Child).
    • Other Microsoft Teams traffic (broadcast, signalling, events, etc.)

Design Goal:

Apply the following policies:

  1. Teams.Audio -> Priority queue (low latency).
  2. Teams.Video -> Non‑priority queue, with reserved bandwidth.
  3. Other Teams traffic -> Best effort queue.

 

Traffic Shaping Behavior.

Traffic shapers can evaluate child apps separately:

  • Teams.Audio -> put in the priority queue.
  • Teams. Video -> put in non‑priority queue with bandwidth reservation.
  • Other Teams traffic (only matches the parent app) → goes to best effort.

Traffic Shaping keeps child‑level granularity even if the parent is also present in the ruleset.

 

SD‑WAN Rule Behavior:

 

SD‑WAN classification works differently:

  • If a rule references Microsoft Teams (parent), all Teams traffic matches this rule, and child rules below it are ignored.
  • The rule matching order is:
    1. Internet‑Service‑Custom
    2. Internet‑Service‑App‑Ctrl
    3. Internet Service Database  

When the parent (Microsoft Teams) is matched, SD‑WAN does not try to identify children afterward.

 

Config Example:

 

Rule 1 – Teams Audio.

  • Match: Microsoft Teams.Audio
  • Action: Priority path, priority queue

Rule 2 – Teams Video.

  • Match: Microsoft Teams.Video
  • Action: Secondary path, bandwidth guarantee

Rule 3 – Other Teams traffic.

  • Match: Microsoft Teams (Parent)
  • Action: Best effort path

 

Result of testing:

  • Teams.Audio -> correctly classified into Rule 1 (priority).
  • Teams. Video -> correctly classified into Rule 2 (non‑priority with reserved bandwidth).
  • Teams broadcast/other signalling -> caught only by Rule 3.
  • If Rule 3 is placed above Rule 1/2, then all Teams traffic hits Rule 3 and child rules are bypassed.

Key Takeaways:

  • Traffic Shaping can apply to parents and children simultaneously.
  • SD‑WAN rules stop at the first parent match: therefore, avoid referencing the parent app if more granular control is required.
  • Best practice: reference only the child applications needed in SD‑WAN, and keep the parent app separate for fallback/best effort rules.
110
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.