Application Aware Outbound Policies (DPI Traffic Steering)

Good Afternoon
Will we be able to do outbound policies via application type soon?
Under “Active Sessions” we can accurately see what the traffic is (e.g. Netflix, WhatsApp, Apple, Apple iCloud and Apple iTunes).
It would be very nice to be able to use this for outbound policies and also firewall rules.
Thank You

3 Likes

Is there any news about this?
In Hong Kong, we where told that this would be included in FW8 but there is no sign of additional applications which can be identified by the router.
We urgently require this for Netflix because Netflix is blocked via SpeedFusion so we would like to be able to route all traffic to SpeedFusion and have a rule above that directs Netflix to balance on the cellular WANs.
Does anyone have a solution to let just Netflix break out local?
Thank You

2 Likes

Under “Active Session”, we are able to see many different types of applications. When will we be able to use these in outbound policies and firewall rules?

Thank You

2 Likes

I’ve reached out to our engineers to get an update on this request.

1 Like

When sending traffic over PepVPN you can add an application based filter. This cannot be applied to WANs, just to PepVPN profiles. For Firewall based application filtering, please use the Content Blocking feature.

2 Likes

Hi @Zach_Tangen
One important note is that this rule must be above the “PepVPN / OSPF / BGP / RIPv2 Routes” part of the outbound polices before the Destination of “PepVPN Profile” becomes available.

Simply put, this rule allows you to strip traffic that would other ways be going down the VPN and route it over another WAN?

Is the application list going to be expanded any time soon? As I said above, active sessions is picking up on what the traffic is pretty accurately.

The “All Supported Streaming Applications” does not actually help us as we want all our video going via SpeedFusion except Netflix due to GeoBlock

Thanks

2 Likes

Hello @Zach_Tangen,
What version of FW8 supports this? We have the GA release of 8.0.0 running at several sites with SpeedFusion running back to a FusionHub and can not see the PepVPN within the drop-down menus for the Destination, all models (Balance & MAX) we are looking at are getting managed from InControl2 with the SpeedFusion settings.

This is the manual options as seen on a Balance One

This is the distributed options as seen from InControl2 getting pushed out to the organisation

Is this DPI feature currently on limited release?
Happy to help,
Marcus :slight_smile:

1 Like

Hi @mldowling
You need to create a rule, save it then drag the rule to the very top above the “PepVPN / OSPF / BGP / RIPv2 Routes” part of the outbound polices before the Destination of “PepVPN Profile” becomes available.

1 Like

Hello @SamuelNorris,
We attempted that on some of our routers and still were unable to bring up the options.
We have raised a support ticket (#9060005) with Peplink, we must be missing something obvious. We will post back here what we find out.
Happy to Help,
Marcus :slight_smile:

1 Like

@mldowling

DPI Traffics Steering only can be enabled for the following conditions:

  1. Outbound Policy Expert mode enabled.

  2. Supported Outbound Policy: Enforce and Priority

  3. Send all traffics deployment via SpeedFusion Tunnels.

  4. Multiple SpeedFusion Tunnels Between two Locations

  • DPI Engine will steer the application traffics base on the defined applications via different subtunnels.

Detail info, you can also refer to the forum post below:

3 Likes

Hello @sitloongs,
We have looked at the following routers and can not find this “Expert Mode” all running FW8.0.0

  • Balance One
  • Balance 580
  • MAX Transit
  • MBX HD4 (policies set from InControl2)
  • Balance 30 Pro

(screen shots attached to ticket)

From what we are reading, the DPI feature will not work for SpeedFusion unless the option to “Send All Traffic” over the SpeedFusion is enabled. That is a shame as the reason we want to use the DPI is to send only selected traffic over the SpeedFusion, not all.

Any other ideas on how to make the DPI feature work?

Happy to Help,
Marcus :slight_smile:

1 Like

@mldowling

If you enable “Expert Mode” at first time for the device, the feature is inside the help “?” menu.

https://download.peplink.com/manual/peplink_balance_and_mediafast_firmware_manual_fw8.0.0.pdf (Page 96)

As explained in the previous post, DPI steering only work with SpeedFusion sub-tunnels

Example Outbound Priority with DPI steering:

Note: The WebUI will be improve for coming firmware so that only related SF sub-tunnels will be shown for the steering tunnels options.

PS:
DPI will recognize the type of traffic after several packets passing through, so the first few packets may be routed to the default tunnel, but when DPI successfully recognized the traffic, it will be steered to the correct sub-tunnel while keeping the session intact, without any interruption.

4 Likes

Hi Zach!

Is it in roadmap for a future release to allow the use of application steering through a WAN? And not just through a PepVPN profile…

Best regards!
Héctor

@hcardenas

DPI Steering won’t work for WAN direct. The reason being is because the remote server won’t accept such connection.

For example, you need the supported application running using WAN2. The connection can be first initiate via WAN1, after the DPI engine able to detect the application and it will try to steer the traffics using WAN2 then the applicaiton traffics will start sending using WAN 2. The main problem now is that WAN1 & WAN2 is running different network IP or service provider, the remote server will see that 2 different IP address is trying to accessing to the same connection and most of the application server will reject such connection.

2 Likes

Thank you for your quick answer.

Best regards!

Hi again Sit!

I found this post that actually you wrote :slight_smile:

This is great! I know that it was not what I was asking but do you think that other services (applications) would be added in the future to be managed through IC2 - Outbound policy?

Best regards!
Héctor

@hcardenas, it is feasible to add other services in the future. It is not an easy task but we will keep trying to add more services.

Thanks.

1 Like

Thanks @TK_Liew

Best regards,
Héctor