Technical Tip: Get the Application category ID for SD-WAN rule steering with application sensor category

kyozloveyou_FTNT · ‎11-30-2023

Description

This article describes how to get the application category ID to run the 'diagnose sys sdwan internet-service-app-ctrl-list' command.

Scope

FortiGate v7.2.1 and above.

Solution

From v7.2.1, it is possible to use the Application category to steer traffic in SD-WAN:
Application steering using SD-WAN rules

However, to do troubleshooting, the 'diagnose sys sdwan internet-service-app-ctrl-list <category ID>' command is required.

To get the category ID, run the below command after configuring the SD-WAN rule:

diag firewall proute list

Check the line of 'internet service(2): Social.Media(0,23,0,0,0) Video/Audio(0,5,0,0,0)'.

This is telling that 2 application category is being configured which is Social.Media category is ID 23 and Video/Audio category is ID 5.

Check the Destination IP learned from SDWAN by using the command 'diag sys sdwan internet-service-app-ctrl-category-list <category ID>': The Category ID is shown in the 'diag firewall prote list' in the above 'diag firewall proute list':

Let take the first line for example:

YouTube(31077 4294838537): 142.250.199.22 17 443 Thu Nov 30 10:37:41 2023

YouTube is the signature.
31077 is the signature ID for YouTube.
142.250.199.22 is the IP address of YouTube learned through the Application Signature.
17 refers to the IP protocol for UDP.
443 refers to the destination port.
Thu Nov 30 10:37:41 2023 is the timestamp this IP is inserted into this SD-WAN rule.