[V18 SD WAN] Application routing does not work

Hello,

I currently testing the SD WAN functionnalities, and one of the most interesting thing for me does not work in our LAB...

Let's imagine i have two wan links, one production, and one backup, configured in the wan link manager active/backup.

I don't want Streaming Application to be routed by the backup link, so i created this SDWAN policy

(heavy trafic includes the cathegory Streaming Application)

=> when the production link ADSL is disconnected,i have access to youtube (for example) through the backup link.

Youtube Video is correctly identified in the application list, and should not be routed through the backup link.. by it does !

Any ideas ?

 

 

  • In reply to guillaume bottollier:

    guillaume bottollier

    After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

    That's very troubling, given that you've worked directly with Sophos support...

    guillaume bottollier

    When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

    I've been wondering how Sophos would implement this, as many streaming providers would have the user visit the site on 443 and thus make the request from there. Some providers will use a different (hopefully dedicated) FQDN for the stream request so theoretically XG could route that request through the other WAN-interface. However, it remains to be seen if authentication would survive switching IP-addresses.

    I haven't examined YouTube in depth (yet), but Sophos' approach could work if YouTube has a dedicated FQDN from which the client mades a request for the stream. If XG routes that request to the other interface it should work.

    If I have some time I'll see if I can set up my own rules to implement this as a PoC.

    guillaume bottollier

    this feature is useless, unless a real improvement on the way it has been implemented.

     Agreed. But it would certainly help if it weren't so much of a black box. Getting the details on what is routed where and for what reason is much too cumbersome and limited.
  • In reply to Arie:

    it is cristal clear : 

    "Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed or haven't yet been stored, XG Firewall doesn't apply policy-based routing."

    Meaning that XG will consider the first session established is https 443 to youtube website, which is NOT a streaming application.

    as a result, videos played into this session won't be reconsidered as streaming, even if recognized as "youtube video streaming" in th application list of the current connexions.

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

  • In reply to guillaume bottollier:

    The main focus on SD-WAN Application based Routing is Synchronized Application Control. Therefore the Application will be send to XG by the Central Endpoint.

    This feature works quite nicely. BTW: SAC cannot difference between Youtube Stream and Youtube Website, because actually it both uses the browser. It is more likely a Web Category, than a Application. There is still work needs to be done by the Web Category Stuff. Youtube Stream vs Youtube Website is just a small part. Take a look at CASB, and you will notice, there is a big difference between Teams Application, Skype Application, Skype Call, Skype Video etc. 

    If you do not use SAC (because you do not have Heartbeat), XG can only use the IPS information of the Application category. 

    The downside of Youtube is, it changes the IPs, and the source Ports a lot. So as online help tells, SD-WAN tracks down the port (Source / Destination), IP (Source / Destination) and tries to figure out, which Application it could be. As written, the first connection cannot be used, because it is not fast enough. Next Session could be routed. But if you refresh the Stream, you properly get new Connection information, therefore Stream information from the first connection will not be applied. 

    PS: I am not saying, this is perfect and there needs to be more work to be done, but it is working nicely with common Apps (Application), which are not running in a Browser.

    PS2: In Conntrack -L / -E grep IP  you can see a filter "pbrid_dir0=0 pbrid_dir1=0" which indicates, which Policy Based Rule is used. 

  • In reply to LuCar Toni:

    Hello  

    i am clearly agree with you that it's a huge challenge to classifiy an app through a web browser.

    But in most of the case, where i can't install agent on devices (BYOD, smartphones etc...), the routing of streaming applications work 10 to 20% of the time, so it's not reliable at all.

    My clients don't care about complicated explanations or arguments, marketing said it works, and it doesn't.

    After a long wait and hopes about this feature on v18, it's disapointing... at least !

  • In reply to guillaume bottollier:

    guillaume bottollier

    it is cristal clear : 

    "Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed or haven't yet been stored, XG Firewall doesn't apply policy-based routing."

    Meaning that XG will consider the first session established is https 443 to youtube website, which is NOT a streaming application.

    as a result, videos played into this session won't be reconsidered as streaming, even if recognized as "youtube video streaming" in th application list of the current connexions.

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

     

    I have read that, but I assumed that requests to different services/applications would get their own session. This should be possible especially if the streaming service uses dedicated FQDNs for the actual stream.

    Regardless, it's frustrating that sessions cannot be easily reset by the administrator.

  • In reply to LuCar Toni:

    Thank you for your reply.

    LuCar Toni

    This feature works quite nicely. BTW: SAC cannot difference between Youtube Stream and Youtube Website, because actually it both uses the browser. It is more likely a Web Category, than a Application. There is still work needs to be done by the Web Category Stuff. Youtube Stream vs Youtube Website is just a small part. Take a look at CASB, and you will notice, there is a big difference between Teams Application, Skype Application, Skype Call, Skype Video etc. 

    Since YouTube is included in the Streaming category it gives the impression that it is supported. It is quite confusing to have a category of which some of the entries will work and some will not without knowing which.

    LuCar Toni

    The downside of Youtube is, it changes the IPs, and the source Ports a lot. So as online help tells, SD-WAN tracks down the port (Source / Destination), IP (Source / Destination) and tries to figure out, which Application it could be. As written, the first connection cannot be used, because it is not fast enough. Next Session could be routed. But if you refresh the Stream, you properly get new Connection information, therefore Stream information from the first connection will not be applied.  

    For services like YouTube that share "customer interaction" and streaming, but where the bulk of the traffic would be streaming, wouldn't it make sense to treat all components as streaming? After all, specifically for streaming it's usually about bandwidth and QoS.

  • In reply to LuCar Toni:

    Why Sdwan routing by Web Cathegories has not been implemented ?

    it would solve the biggest part of the problem !

  • In reply to guillaume bottollier:

    I assume, this is not quite easy to implement. 

    As mentioned earlier, SAC can actually use the data sent by the Endpoint. 

    Proxy has to use data coming in real time to decide, which data it actually is. 

    PS: i do not know the reason for sure, i just try to help understand, what could lead to this issue right now. But there is more work to be done for the future. 

  • In reply to LuCar Toni:

    I figured it would be possible to tweak the Application Settings, but that doesn't seem to be an option.

    Is it not possible to create custom rules/FQDNs for SD-WAN routing?