Fields for identifying traffic
This topic describes the fields in an SD-WAN rule used for defining the traffic to which the rule applies. Some fields are available only in the CLI.
SD-WAN rules can identify traffic by a variety of means:
Address type |
Source |
Destination |
---|---|---|
IPv4/6 |
✓ |
✓ |
MAC |
✓ |
✓ |
Group |
✓ |
✓ |
FABRIC_DEVICE dynamic address |
✓ |
✓ |
Users |
✓ |
✓ |
User groups |
✓ |
✓ |
Application control (application aware routing) |
|
✓ |
Internet service database (ISDB) |
|
✓ |
BGP route tags |
|
✓ |
Differentiated Services Code Point (DSCP) tags |
|
✓ |
In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for editing. The Source and Destination sections are used to identify traffic for the rule:
In the CLI, edit the service definition ID number to identify traffic for the rule:
config system sdwan config service edit <ID> set comment <string> <CLI commands from the following tables> ... next end
The following table describes the fields used for the name, ID, and IP version of the SD-WAN rule:
ID, Name, and IP version |
||
---|---|---|
Field |
CLI |
Description |
ID |
config system sdwan config service edit <ID> set comment <string> next end |
ID is generated when the rule is created. You can only specify the ID from the CLI. |
Name |
set name <string> |
The name does not need to relate to the traffic being matched, but it is good practice to have intuitive rule names. |
IP version |
set addr-mode <ipv4 | ipv6> |
The addressing mode can be IPv4 or IPv6. To configure in the GUI, IPv6 must be enabled from System > Feature Visibility page. |
The following table describes the fields used for source section of the SD-WAN rule:
Source |
||
---|---|---|
Field |
CLI |
Description |
Source address |
set src <object> set start-src-port <integer> set end-src-port <integer> Use |
One or more address objects. Start source port number. CLI only. End source port number. CLI only. |
User group |
set users <user object> set groups <group object> |
Individual users or user groups |
Source interface |
set input-device <interface name> Can be negated with |
Select one or more source interfaces. CLI only. |
The following table describes the fields used for the destination section of the SD-WAN rule:
Destination |
||
---|---|---|
Field |
CLI |
Description |
Address |
set dst <object> set protocol <integer> set start-port <integer> set end-port <integer> Use |
One or more address objects. One protocol and one port range can be combined with the address object. If it is necessary for an SD-WAN rule to match multiple protocols or multiple port ranges, you can create a custom Internet Service. |
Internet Service |
set internet-service enable set internet-service-custom <name_1> <name_2> ... <name_n> set internet-service-custom-group <name_1> <name_2> ... <name_n> set internet-service-name <name_1> <name_2> ... <name_n> set internet-service-group <name_1> <name_2> ... <name_n> |
One or more internet services or service groups. |
Application |
set internet-service-app-ctrl <id_1> <id_2> ... <id_n> set internet-service-app-ctrl-group <name_1> <name_2> ... <name_n> set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> |
One or more applications or application groups. Can be used with internet services or service group. |
Route tag ( |
set route-tag <integer> |
CLI only. This replaces the |
TOS mask ( |
set tos-mask <8-bit hex value> |
CLI only. In order to leverage type of service (TOS) matching or DSCP matching on the IP header, the SD-WAN rule must specify the bit mask of the byte holding the TOS value. For example, a TOS mask of 0xe0 (11100000) matches the upper 3 bits. |
TOS ( |
set tos <8 bit hex value> |
CLI only. The value specified here is matched after the For example, the FortiGate receives DSCP values 110000 and 111011. (DSCP is the upper 6 bits of the TOS field – 11000000 and 11101100 respectively). Using the TOS value 0xe0 (11100000), only the second DSCP value is matched. |
By default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality in the GUI, go to System > Feature Visibility and enable Application Detection Based SD-WAN. In the CLI, enter:
config system global set gui-app-detection-sdwan enable end