This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[V18 SD WAN] Application routing does not work

Hello,

I currently testing the SD WAN functionnalities, and one of the most interesting thing for me does not work in our LAB...

Let's imagine i have two wan links, one production, and one backup, configured in the wan link manager active/backup.

I don't want Streaming Application to be routed by the backup link, so i created this SDWAN policy

(heavy trafic includes the cathegory Streaming Application)

=> when the production link ADSL is disconnected,i have access to youtube (for example) through the backup link.

Youtube Video is correctly identified in the application list, and should not be routed through the backup link.. by it does !

Any ideas ?

 

 



This thread was automatically locked due to age.
Parents
  • hello  

    Thanks for the links, but this does not help me to solve this issue, i followed the video to build my sd route policy, which is the exact thing i want to do !

    but this does not work, streaming is routed regarless of the policy through the backup link.

  • Hi Ian,

    I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

    I had noticed the discrepancy also, but given that Sophos went through the trouble of specifically linking this video from the admin interface you'd think the information would be reliable.

    I would suggest you try changing your destination to a specific site.

    That may be the only way to get this to work.

    I have one of my streaming radio station applications point at the station server, it also uses a specific port.

    Does it use a specific port even for the client request? I.e. not 80/443?

    If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

    Would that work? I'd imagine that the behavior would be unpredictable at best if 'regular' (443/80) traffic goes out on a different egress IP-address than you want the response (i.e. streaming) to come in on. The server is going to send the response to whichever public address made the request. 

    Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

    I've started looking at that a bit more. After migration I cleaned up a bunch of stuff, but it looks like I never got around to cleaning up NAT. There might be more migration-stuff lurking in other places.

    I did, however, clone my FW-rule and create a new NAT (MASQ) policy for it to replace the migrated policy. Unfortunately, no luck so far.

    Troubleshooting is cumbersome, though, since there doesn't seem to be a way to clear the persistence other than rebooting the XG.

  • guillaume bottollier said:

    After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

    That's very troubling, given that you've worked directly with Sophos support...

    guillaume bottollier said:

    When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

    I've been wondering how Sophos would implement this, as many streaming providers would have the user visit the site on 443 and thus make the request from there. Some providers will use a different (hopefully dedicated) FQDN for the stream request so theoretically XG could route that request through the other WAN-interface. However, it remains to be seen if authentication would survive switching IP-addresses.

    I haven't examined YouTube in depth (yet), but Sophos' approach could work if YouTube has a dedicated FQDN from which the client mades a request for the stream. If XG routes that request to the other interface it should work.

    If I have some time I'll see if I can set up my own rules to implement this as a PoC.

    guillaume bottollier said:

    this feature is useless, unless a real improvement on the way it has been implemented.

     Agreed. But it would certainly help if it weren't so much of a black box. Getting the details on what is routed where and for what reason is much too cumbersome and limited.
  • it is cristal clear : 

    "Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed or haven't yet been stored, XG Firewall doesn't apply policy-based routing."

    Meaning that XG will consider the first session established is https 443 to youtube website, which is NOT a streaming application.

    as a result, videos played into this session won't be reconsidered as streaming, even if recognized as "youtube video streaming" in th application list of the current connexions.

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

  • The main focus on SD-WAN Application based Routing is Synchronized Application Control. Therefore the Application will be send to XG by the Central Endpoint.

    This feature works quite nicely. BTW: SAC cannot difference between Youtube Stream and Youtube Website, because actually it both uses the browser. It is more likely a Web Category, than a Application. There is still work needs to be done by the Web Category Stuff. Youtube Stream vs Youtube Website is just a small part. Take a look at CASB, and you will notice, there is a big difference between Teams Application, Skype Application, Skype Call, Skype Video etc. 

    If you do not use SAC (because you do not have Heartbeat), XG can only use the IPS information of the Application category. 

    The downside of Youtube is, it changes the IPs, and the source Ports a lot. So as online help tells, SD-WAN tracks down the port (Source / Destination), IP (Source / Destination) and tries to figure out, which Application it could be. As written, the first connection cannot be used, because it is not fast enough. Next Session could be routed. But if you refresh the Stream, you properly get new Connection information, therefore Stream information from the first connection will not be applied. 

    PS: I am not saying, this is perfect and there needs to be more work to be done, but it is working nicely with common Apps (Application), which are not running in a Browser.

    PS2: In Conntrack -L / -E grep IP  you can see a filter "pbrid_dir0=0 pbrid_dir1=0" which indicates, which Policy Based Rule is used. 

    __________________________________________________________________________________________________________________

  • Hello  

    i am clearly agree with you that it's a huge challenge to classifiy an app through a web browser.

    But in most of the case, where i can't install agent on devices (BYOD, smartphones etc...), the routing of streaming applications work 10 to 20% of the time, so it's not reliable at all.

    My clients don't care about complicated explanations or arguments, marketing said it works, and it doesn't.

    After a long wait and hopes about this feature on v18, it's disapointing... at least !

  • guillaume bottollier said:

    it is cristal clear : 

    "Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed or haven't yet been stored, XG Firewall doesn't apply policy-based routing."

    Meaning that XG will consider the first session established is https 443 to youtube website, which is NOT a streaming application.

    as a result, videos played into this session won't be reconsidered as streaming, even if recognized as "youtube video streaming" in th application list of the current connexions.

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

     

    I have read that, but I assumed that requests to different services/applications would get their own session. This should be possible especially if the streaming service uses dedicated FQDNs for the actual stream.

    Regardless, it's frustrating that sessions cannot be easily reset by the administrator.

  • Thank you for your reply.

    LuCar Toni said:

    This feature works quite nicely. BTW: SAC cannot difference between Youtube Stream and Youtube Website, because actually it both uses the browser. It is more likely a Web Category, than a Application. There is still work needs to be done by the Web Category Stuff. Youtube Stream vs Youtube Website is just a small part. Take a look at CASB, and you will notice, there is a big difference between Teams Application, Skype Application, Skype Call, Skype Video etc. 

    Since YouTube is included in the Streaming category it gives the impression that it is supported. It is quite confusing to have a category of which some of the entries will work and some will not without knowing which.

    LuCar Toni said:

    The downside of Youtube is, it changes the IPs, and the source Ports a lot. So as online help tells, SD-WAN tracks down the port (Source / Destination), IP (Source / Destination) and tries to figure out, which Application it could be. As written, the first connection cannot be used, because it is not fast enough. Next Session could be routed. But if you refresh the Stream, you properly get new Connection information, therefore Stream information from the first connection will not be applied.  

    For services like YouTube that share "customer interaction" and streaming, but where the bulk of the traffic would be streaming, wouldn't it make sense to treat all components as streaming? After all, specifically for streaming it's usually about bandwidth and QoS.

  • Why Sdwan routing by Web Cathegories has not been implemented ?

    it would solve the biggest part of the problem !

  • I assume, this is not quite easy to implement. 

    As mentioned earlier, SAC can actually use the data sent by the Endpoint. 

    Proxy has to use data coming in real time to decide, which data it actually is. 

    PS: i do not know the reason for sure, i just try to help understand, what could lead to this issue right now. But there is more work to be done for the future. 

    __________________________________________________________________________________________________________________

  • I figured it would be possible to tweak the Application Settings, but that doesn't seem to be an option.

    Is it not possible to create custom rules/FQDNs for SD-WAN routing? 

  • Reply Children
    No Data