This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[V18 SD WAN] Application routing does not work

Hello,

I currently testing the SD WAN functionnalities, and one of the most interesting thing for me does not work in our LAB...

Let's imagine i have two wan links, one production, and one backup, configured in the wan link manager active/backup.

I don't want Streaming Application to be routed by the backup link, so i created this SDWAN policy

(heavy trafic includes the cathegory Streaming Application)

=> when the production link ADSL is disconnected,i have access to youtube (for example) through the backup link.

Youtube Video is correctly identified in the application list, and should not be routed through the backup link.. by it does !

Any ideas ?

 

 



This thread was automatically locked due to age.
Parents Reply
  • Hi,

    with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

    What I have now is:

    1. Rule 1 - criterion is Application (Streaming). WAN interface: DSL
    2. Rule 2 - HTTP and HTTPS. WAN interface: LTE

    I assumed that the application/streaming rule would take precedence since it's the first rule.

    Are you saying that rule 2 (HTTP/HTTPS) takes precedence even though the first rule specifies the application?

    If this is the case, how would I configure the rules so Streaming is routed to a specific interface?

  • Hi,

    what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

    Also I assume you have a linked NAT rule for each firewall rule?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

    Also I assume you have a linked NAT rule for each firewall rule?

     

    OK - I understand where you're coming from now. However, the first rule "Force streaming to DSL", while having the criterion "any service", does have the Application Object set to "Streaming Media".

    That's why I figured this rule would fire on streaming media.

    As far a the NAT-config, I'd have to take a look. I haven't looked at it since I upgraded from v17.

     

  • Hi Arie,

    this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

    I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

    I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

    Hi Ian,

    Okay - I remember reading something like that also, but since Sophos has instructions specifically for the scenario in question (routing streaming media) I figured this would be fully supported. Judging by the questions people are posting about it I wonder if it is all working as intended, though.

     

    By the way, here's the official Sophos video I am referring to: https://vimeo.com/390800287.

     

    As far as adding the ports for streaming, I doubt that would work since the initial client request for the video would be over 443.

    I have, however, added a category "Search Engines" in the application section. No luck so far, though. It's possible that I need to wait for the TTL to expire (3600 seconds). Aside from rebooting the XG I don't know of a way to clear the tables. Anything in the CLI?

     

  • Hi Aria,

    I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

    I would suggest you try changing your destination to a specific site.

    I have one of my streaming radio station applications point at the station server, it also uses a specific port.

    If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

    Ian

     

    Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • hi  hi  

    After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

    When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

    this feature is useless, unless a real improvement on the way it has been implemented.

  • Hi Ian,

    I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

    I had noticed the discrepancy also, but given that Sophos went through the trouble of specifically linking this video from the admin interface you'd think the information would be reliable.

    I would suggest you try changing your destination to a specific site.

    That may be the only way to get this to work.

    I have one of my streaming radio station applications point at the station server, it also uses a specific port.

    Does it use a specific port even for the client request? I.e. not 80/443?

    If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

    Would that work? I'd imagine that the behavior would be unpredictable at best if 'regular' (443/80) traffic goes out on a different egress IP-address than you want the response (i.e. streaming) to come in on. The server is going to send the response to whichever public address made the request. 

    Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

    I've started looking at that a bit more. After migration I cleaned up a bunch of stuff, but it looks like I never got around to cleaning up NAT. There might be more migration-stuff lurking in other places.

    I did, however, clone my FW-rule and create a new NAT (MASQ) policy for it to replace the migrated policy. Unfortunately, no luck so far.

    Troubleshooting is cumbersome, though, since there doesn't seem to be a way to clear the persistence other than rebooting the XG.

  • guillaume bottollier said:

    After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

    That's very troubling, given that you've worked directly with Sophos support...

    guillaume bottollier said:

    When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

    I've been wondering how Sophos would implement this, as many streaming providers would have the user visit the site on 443 and thus make the request from there. Some providers will use a different (hopefully dedicated) FQDN for the stream request so theoretically XG could route that request through the other WAN-interface. However, it remains to be seen if authentication would survive switching IP-addresses.

    I haven't examined YouTube in depth (yet), but Sophos' approach could work if YouTube has a dedicated FQDN from which the client mades a request for the stream. If XG routes that request to the other interface it should work.

    If I have some time I'll see if I can set up my own rules to implement this as a PoC.

    guillaume bottollier said:

    this feature is useless, unless a real improvement on the way it has been implemented.

     Agreed. But it would certainly help if it weren't so much of a black box. Getting the details on what is routed where and for what reason is much too cumbersome and limited.
  • it is cristal clear : 

    "Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed or haven't yet been stored, XG Firewall doesn't apply policy-based routing."

    Meaning that XG will consider the first session established is https 443 to youtube website, which is NOT a streaming application.

    as a result, videos played into this session won't be reconsidered as streaming, even if recognized as "youtube video streaming" in th application list of the current connexions.

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html