|
There are three attributes that can be configured in the SD-WAN service with ISDB:
- internet-service-custom.
- internet-service-app-ctrl.
- internet-service-name.
When configuring an SD-WAN service with an ISDB name, for example when steering the traffic target to Zscaler Cloud to go through interface wan1 :
config system sdwan
config service
edit 11
set name "test"
set src "local-subnet"
set internet-service enable
set internet-service-name "Zscaler-Zscaler.Cloud"
set priority-members 8
next
end
end
Upon checking, the hit count is 0:
diagnose firewall proute list
-omitted-
id=2137128971(0x7f62000b) vwl_service=11(test) vwl_mbr_seq=8 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0
(any) dport=1-65535 path(1) oif=50(wan1)
source(1): 10.0.0.0-10.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(1): Zscaler-Zscaler.Cloud(6684793,0,0,0)
hit_count=0 last_used=2023-11-21 22:06:58
-omitted-
One possibility is that an improper internet-service-custom item configured with 'dst all', which blocked internet-service-name or internet-service-app-ctrl in the SD-WAN service does not work, as the internet-service-custom has the highest priority.
diagnose firewall internet-service-custom list
List internet service in kernel(custom):
name=demo id=4294901762 reputation=3 Unverified site. singularity=0 flags=0x0 protocol=0
addr ip mask=(1): 0.0.0.0/0.0.0.0
config firewall internet-service-custom
edit "demo"
set id 4294901762
set comment ''
config entry
edit 1
set dst "all"
next
end
next
end
The solution is to remove this internet-service-custom item if it's unused or revise the dst_addr to be more specific and add it to the related SD-WAN service.
|
