[V18 SD WAN] Application routing does not work

Hi guillaume bottollier 

Please refer to the video - https://www.youtube.com/watch?v=TolZsFNbBuM&list=PL_b4O8ZwWOqu3eDmTuC22czPQuH9furOx&index=6

Please refer to the articles

https://community.sophos.com/products/xg-firewall/f/network-and-routing/118714/sd-wan-policies-my-experience-so-far

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/116166/some-confusion-about-the-new-sdwan-routing-feature

hello Keyur 

Thanks for the links, but this does not help me to solve this issue, i followed the video to build my sd route policy, which is the exact thing i want to do !

but this does not work, streaming is routed regarless of the policy through the backup link.

Same thing is happening to me. I followed the information in the video, but all traffic is still going to a single WAN interface.

My goal:

• all streaming to go to a specific WAN link (DSL)
• all other traffic to the main WAN link (LTE)

Based on the System Graphs, XG is simply not routing the streaming traffic to the other interface.

Hi,

looking at your rules you have them in the wrong order, but it is very difficult to tell because you have masked the internal IP addresses.

Ian

Hi,

looking at your rules you have them in the wrong order, but it is very difficult to tell because you have masked the internal IP addresses.

Ian

Both rules use the same subnet, as I'm trying to target only applications. In other words, different applications from the same addresses.

Since the web sites that drive streaming traffic generally use HTTPS (e.g. YouTube) I figured I'd put the rule for streaming traffic first.

Hi,

with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

Ian

Some more information.

I have created a rule for ICMP to it's easier to test. A tracert to google.com responds exactly the way I would expect the rule to work; when I set the gateway to DSL (Verizon) it follows that route and when I set it to LTE it uses Sprint. The results are very consistent:

6 64 ms 50 ms 50 ms sl-crs1-dc-.sprintlink.net 
7 76 ms 41 ms 38 ms sl-mst30-ash-be14.sprintlink.net

4 40 ms 35 ms 38 ms g101-0-0-2.rcmdva-lcr-22.verizon-gni.net

In other words, the routing engine functions properly. However, targeting applications fails.

I have not yet tried separating other types of traffic.

with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

What I have now is:

1. Rule 1 - criterion is Application (Streaming). WAN interface: DSL
2. Rule 2 - HTTP and HTTPS. WAN interface: LTE

I assumed that the application/streaming rule would take precedence since it's the first rule.

Are you saying that rule 2 (HTTP/HTTPS) takes precedence even though the first rule specifies the application?

If this is the case, how would I configure the rules so Streaming is routed to a specific interface?

Hi,

what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

Also I assume you have a linked NAT rule for each firewall rule?

Ian

what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

Also I assume you have a linked NAT rule for each firewall rule?

OK - I understand where you're coming from now. However, the first rule "Force streaming to DSL", while having the criterion "any service", does have the Application Object set to "Streaming Media".

That's why I figured this rule would fire on streaming media.

As far a the NAT-config, I'd have to take a look. I haven't looked at it since I upgraded from v17.

Hi Arie,

this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

Ian

this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

Hi Ian,

Okay - I remember reading something like that also, but since Sophos has instructions specifically for the scenario in question (routing streaming media) I figured this would be fully supported. Judging by the questions people are posting about it I wonder if it is all working as intended, though.

By the way, here's the official Sophos video I am referring to: https://vimeo.com/390800287.

As far as adding the ports for streaming, I doubt that would work since the initial client request for the video would be over 443.

I have, however, added a category "Search Engines" in the application section. No luck so far, though. It's possible that I need to wait for the TTL to expire (3600 seconds). Aside from rebooting the XG I don't know of a way to clear the tables. Anything in the CLI?

Hi Aria,

I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

I would suggest you try changing your destination to a specific site.

I have one of my streaming radio station applications point at the station server, it also uses a specific port.

If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

Ian

Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

hi rfcat_vk hi Arie 

After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

this feature is useless, unless a real improvement on the way it has been implemented.