SD-WAN policy

XYLITOLXYLITOL
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello.

Thanks to the community, we now have a working SD-WAN.
Primary WAN
Secondary WAN (Windows update etc...)
Looking in the traffic monitor, SD-WAN seems to be working fine.
However, in the traffic monitor, traffic was flowing with a policy named ANY-OUT.
What is causing it to reach the policy named ANY-OUT?

The order of the policies is
1,Secondary WAN
2,Primary WAN
3,ANY-OUT

Comments

  • Bruce_BriggsBruce_Briggs

    What is the port being accessed? The log entry should show you.
    Is that port included in either of your SD-WAN polices?

    Care to post that ANY-OUT log entry?

  • XYLITOLXYLITOL

    Thanks for calling.

    I will write a more detailed POLICY.

    1,Secondary WAN (any-Trusted ➞ pppoe(windows update etc ... ))
    2,Primary WAN (any-Trusted to any-Untrust)
    3,ANY-OUT (ant-Trusted to any-Untrust , pppoe)

    One part of the log will look like ↓.
    Allow 192.168.10.15 8.8.4.4 HTTP Protocol over TLS SSL 52271 443 Trust Optional-4 Application identified 40 126 (Any-out-00)

  • Bruce_BriggsBruce_Briggs
    edited November 25

    It is not clear IF you are specifying the external interface to use in the To: field from your above examples.
    If you are doing this, then you must use Any-external instead of a specific WAN interface in the To: field of an outgoing to the Internet policy and use a SD-WAN action to specify the preferred WAN port to use for the policy.
    Using a specific WAN interface in the To: field of a policy results in unexpected routing....

  • XYLITOLXYLITOL

    Sorry for the lack of explanation.
    I will give you the information on POLICY and interface.
    I assumed 2,Primary WAN with all traffic flowing to the specified interface...

    alias

    Optional-4(Secondary WAN)

    Untrust(Primary WAN)
    Untrust is configured for link aggregation with Optional-2 and Optional-3.

    Trust(LAN)

    policy

    1,Secondary WAN

    From Trust ANY-trusted
    To FQDN(*.windowsupdate.com etc...)

    SD-WAN Interface
    Optional-4

    2,Primary WAN

    From Trust ANY-trusted
    To FQDN(*.youtube.com ),Untrust ANY-Optional

    SD-WAN Interface
    Untrust

    3,ANY-OUT

    From Trust ANY-trusted
    To Optional-4,Untrust ANY-Optional

  • Bruce_BriggsBruce_Briggs

    Also note that 8.8.4.4 is a Google DNS server IP addr, so this is almost certainly DNS over HTTPS (DoH).
    One can stop use of DoH by settings in ones web browser.
    Use of DoH seems to be a default setting in most web browsers at this time.

    Note that the use of DoH prevents monitoring of DNS queries etc. such as by WG DNSWatch or by a DNS proxy since the DNS traffic is embedded in HTTPS and is encrypted.

  • XYLITOLXYLITOL
    edited November 25

    There was also other traffic flowing ANY-out, each of the three policies specifying the protocol as any.

Sign In to comment.