Skip to main content
Versa Networks

Configure Traffic-Steering Policies and Rules

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

To add traffic-steering policies and rules, you first create an application policy to classify incoming traffic based on match criteria, such as application, source IP address, destination IP address, and incoming zone. Then, you specify the action to take when traffic matches the configured criteria.

Traffic-steering policies and rules belong to the Application subprofile type. You can attach only one traffic-steering policy to an Application subprofile. You can add a traffic-steering policy to an existing Application subprofile, or you can add it when you create a new subprofile. You can add a traffic-steering policy as a profile element that can then be used in one or more Application subprofiles. 

You can build reusable application policies by navigating to Policies > Application > Traffic Steering. You can also build policies and rules inline. These inline rules apply only to the policies currently being configured. You cannot reuse them in other subprofiles until you add them to the reusable Subprofiles folder by clicking the ellipsis to the right of Next and then selecting Save As:

next-save-as-v2.png

To add a traffic-steering policy to an existing Application subprofile:

  1. Go to Configure > Profiles > Sub Profiles > Application.

    application-subprofile-left-nav-border.png

    The screen displays the existing Application subprofiles.

    application-subprofile-dashboard-v3-border.png
     
  2. To add a traffic steering policy, click an application subprofile (Application-SP in the example above), or click the vertical-dots-black-on-white.png Elipsis icon, and then click the pencil-icon-black-on-white-22.png Edit icon in the popup menu. The Edit Application Sub Profile screen displays with the General tab selected by default.

    edit-application-subprofile-general-tab-v3-border.png
     
  3. Select the Policy tab, and then click + Policy.

    edit-application-subprofile-policy-tab-v3-border.png
     
  4. In the popup menu, select Traffic Steering. To create a new policy, click Create New Policy. To use an existing policy, click Choose Existing and select a policy from the list.

    create-new-policy-traffic-steering-popup-border.png

    The Add Traffic Steering Policy screen displays with Step 1, Rules selected by Default.

    add-traffic-steering-policy-Rules-tab-border.png
     
  5. If desired, you can specify the columns to display, or you can accept the default selections and go to the next step. To change the settings, click the Select Columns down arrow and select the columns to be displayed. To restore the default column settings, click Reset.

    select-columns-border.png
     
  6. In the Add Traffic Steering Policy screen, click Add Rule. The following screen displays.

    add-rule-menu-border.png
  7. To create a new rule for the application policy, continue to Step 8. To add an existing rule:
    1. Click Add Existing Rule. The Add Existing Traffic Steering Rules screen displays the existing traffic steering rules.

      add-existing-traffic-steering-rules-unselected-border.png
    2. Select one or more rules. The selected rules move to the Traffic Steering Rules Selected panel.

      add-existing-traffic-steering-rules-selected-border.png
    3. To view the configuration elements for a selected rule, click the down arrow next to the rule, and then select a category to display the configuration elements for that category. The categories are:
      • Applications and URLs
      • Destination Traffic
      • Enforcement
      • Forwarding Profile an TCP Optimization Profile
      • Services and DSCP
      • Source Traffic
      • Variable Type
    4. Click Add Rules to add the traffic-steering rule to the application policy.
  8. To create a new rule for the application policy, select Create Rule only for this Policy. The Add Traffic Steering Rule screen displays with Step 1, Applications & URLs, the Applications radio button, and the Application Group tab selected by default.

    add-traffic-steering-rule-apps-URLs-tab-v2-border.png
     
  9. From here, you can select specific applications, application groups, or application categories to include in the match criteria. All applications, URL categories, and reputation are included by default. You can use this screen to customize which applications, URL categories, and reputation to include in the match criteria.
    • To select application groups for the rule to match, on the Application Group tab, click the group category (User Defined Application Groups or Predefined Application Groups), and then select the application groups for the rule to match. You can also use the Search bar to find specific application groups.

      TS-rule-application-group-customize-border.png
    • To select applications for the rule to match, select the Applications > Applications tab, click the group category (User Defined Application Groups or Predefined Application Groups), and then select the applications. You can also use the Search bar to find specific applications.

      TS-rule-applications-customize-border.png
    • To select predefined application categories for the rule to match, select the Applications > Application Category tab, and then select one or more predefined application categories. You can also use the Search bar to find specific application categories.

      TS-rule-application-category-customize-border.png
  10. Select the URL Categories and Reputations tab. The following screen displays.

    TS-rule-URL-categories-reputations-customize-border.png
     
  11. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
  12. In the Reputations field, click the down arrow, and then select one or more reputations to include in the rule:
    • High risk
    • Low risk
    • Moderate risk
    • Suspicious
    • Trustworthy
    • Undefined
  13. Click Next or select Step 2, Users & Groups.

    TS-Users-Groups-border.png
     
  14. To add an existing user group, click Select Users & Groups Profile and click the name of one or more user groups (fGroup in the figure below).

    TS-Users-Groups-matched-border.png
     
  15. To add a new user group, click + Add New User Group. The following screen displays.

    add-user-group-border.png
    1. Enter a user group name and a distinguished name (DN).
    2. Click Add.
       
  16. Select the Users tab.

    TS-Users-Groups-Users-tab-border.png
     
  17. To add existing users, click Select Users & Groups Profile and click the name of one or more users.

    TS-Users-matched-border.png
     
  18. To add a new user, click + Add New User. The following screen displays.

    add-user-border.png
    1. Enter a user name and a work email address.
    2. Click Add. 
       
  19. Click Next or select Step 3, Source & Destination Traffic. The following screen displays. All source and destination traffic is included in the match criteria by default. You can use this screen to customize the source and destination traffic to include in the match criteria.

    TS-source-destination-traffic-tab-v2-border.png
  20. To customize the source traffic, on the Source Address tab, use one of the following methods:
    • To specify source addresses to include in the match criteria, continue to Step 21.
    • To specify source addresses to exclude from the match criteria, select Negate Source Address to match all source addresses except the source addresses that you specify, and then continue to Step 21. 
  21. To specify a source address to include or exclude in the match criteria, you can select a source address from the list or use the search box to find a source address. To create a variable for the source address, click + Add Variable to the right of the source address list. Enter a name for the variable, click the add-icon-white-on-black-22.png Plus icon, then click Add. You can add multiple variables. 

    add-address-variable-v2.png
    You can also enter values for the fields IP address or IP range, IPv4 or the IPv6 subnet, or the IP wildcard as part of the match criteria. To create variables for these values, click + Add Variable for that field. 
    • To add a variable for the IP address or IP range, select IPv4 Address, IPv4 Range, or IPv6 Address from the drop-down list, click the add-icon-white-on-black-22.png Plus icon, the click Add. You can add multiple variables. 

      add-IP-address-range-variable-v2-border.png
       
    • To add a variable for the IP subnet, select IP Subnet or IPv6 Subnet from the drop-down list, click the add-icon-white-on-black-22.png Plus icon, the click Add. You can add multiple variables. 

      add-IP-subnet-variable-v2-border.png
    • To add a variable for the IP wildcard, enter a name for the variable, click the add-icon-white-on-black-22.png Plus icon, then click Add. You can add multiple variables.

      add-address-variable-v2.png
  22. Click the Destination Address tab. The following screen displays.

    TS-source-destination-address-traffic-tab-border.png
  23. To customize the destination traffic, use one of the following methods:
    • To specify destination addresses to include in the match criteria, continue to Step 24 to select addresses.
    • To specify destination addresses to exclude from the match criteria, select Negate Source Address to match all destination addresses except the addresses that you specify, and then continue to Step 24 to select addresses. 
  24. To specify a destination address to include or exclude in the match criteria, you can select a destination address from the list or use the search box to find a destination address. To create a variable for the destination address, click + Add Variable to the right of the destination address list. You can also enter values for the fields IP address or IP range, IPv4 or the IPv6 subnet, or the IP wildcard as part of the match criteria. To create variables for these values, click + Add Variable for that field. For more information on adding variables, see step 21. 
  25. Select the Source Zone and Sites tab. The following screen displays. All source zones and source sites are included in the match criteria by default. To customize the source zones and source sites to be included in the match criteria, enter information for the following fields.

    TS-source-zone-sites-border.png
     
    Field Description
    Source Zones

    Click the down arrow, and then select one or more zones. To create a variable for the source zone, click add_icon.png Add Variable.
    Source Sites

    Click the down arrow, and then select one or more sites. To create a variable for the source zone, click add_icon.png Add Variable.
  26. Select the Destination Zone and Sites tab. By default, all destination zones and destination sites are included in the match criteria. To customize the destination zones and destination sites to be included in the match criteria, enter information for the following fields.

    TS-destination-zone-sites-border.png
     
    Field Description
    Destination Zones

    Click the down arrow, and then select one or more zones. To create a variable for the source zone, click add_icon.png Add Variable.
    Destination Sites

    Click the down arrow, and then select one or more sites. To create a variable for the source zone, click add_icon.png Add Variable.
  27. Click Next or select Step 4, Service & DSCP. The following screen displays. All services, service groups, and DSCPs are included in the match criteria by default. You can use this screen to customize the services, service groups, and DSCPs to include in the match criteria.

    TS-service-DSCP-services-tab-border.png
  28. To specify the services to include, do one or both of the following:
    • In the search box under Services, enter the service name.
    • Select one or more services from the list below the search box. You can select one of the following categories to filter the list:
      • All Services
      • Predefined
      • User Defined
  29. Select the Service Groups tab, then select the service group to which you want to apply security access control rules. You can select User-Defined, Predefined, or both. Click thetoggle_arrow.png Toggle Row Expand icon next to the service group name to view the details for each service group.

    TS-service-DSCP-service-groups-tab-border.png
  30. Select one or more service groups to include in the match criteria. The service groups are added to the Services list.
  31. Select the DSCP tab. All DSCP decimal values are included by default. You can specify which DSCP decimal values to include in the match criteria.

    TS-service-DSCP-DSCP-tab-border.png
     
  32. Select one or more DSCP decimal values from the drop-down list, or use search to locate one or more values.
  33. Click Next to go to Step 5, Enforcement. Security enforcement rules define the actions to take on traffic that meets the previously defined match conditions, and defines the security enforcement actions to apply to matching traffic. The following screen shows the available security enforcement actions.

    TS-Enforcement-tab-v2-border.png
     
  34. Click one of the following options to apply a security enforcement action:
    • Allow—Allow all traffic that matches the rule to pass unfiltered.
    • Deny—Drop all traffic that matches the rule.
       
  35. Click Next to go to Step 6, Forwarding Profile & TCP Optimization Profile and enter the following information.

    forwarding-profile-TCP-optimization-profile-screen-v2-border.png
     
    Field Description
    Forwarding Profile Select a forwarding profile from the list. A forwarding profile is a configuration setting that determines how network traffic is handled and forwarded within a network device.
    TCP Optimization Profiles Policy (Group of Fields) TCP optimization profiles are configurations or settings that can be applied to TCP to improve its performance in specific network environments.
    • Mode

    Select a TCP optimization mode:

    • Auto
    • Bypass—Disable TCP optimizations.
    • Forward proxy
    • Proxy
    • Reverse proxy
    • Splice
    • Bypass Latency Threshold

    Enter how much latency must be measured before TCP optimizations begin.

    Range: 0 through 60000 milliseconds

    Default: 10 milliseconds
    • TCP Optimization Profile for LAN

    Select a LAN profile.
    For proxy mode, you must configure a TCP profile.

    If you do not select TCP profiles, a system default LAN profile is applied that uses the cubic congestion control algorithm and duplicate ACK loss detection.
    • TCP Optimization Profile for WAN

    Select a WAN profile.

    For proxy mode, you must configure a TCP profile.

    If you do not select TCP profiles, a system default WAN profile is applied that uses the BBR congestion control algorithm and RACK loss detection.
  36. Click Next to go to Step 7, Permissions, and revise the permissions, if needed.

    add-traffic-steering-rule-permissions-border.png
     
  37. Click Next to go to Step 8, Review and Submit and enter the following information.

    add-traffic-steering-rule-review-submit.png
     
    Field Description
    General (Group of Fields)
    • Name
    		 Enter a name or the rule.
    • Description
    		 (Optional) Enter a description for the rule.
    • Tags
    		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
    • Schedule
    		 Select a schedule to set the time and frequency at which the rule is in effect.
    • Enabled
    		 Click to disable the rule once it is saved. By default, the rule is enabled.
    • Logging Disabled
    		 Click to the slider bar to enable logging for the rule. By default, logging is disabled.
  38. Review the selected settings. Click the pencil-icon-blue-on-white-22.png Edit icon to change a setting, as needed.
  39. Click Save to save the rule.
  40. In the Add Traffic Steering Policy screen, click Step 2, Permissions. The following screen displays.

    add-traffic-steering-policy-permissions-tab-policy.png
     
  41. To change the permissions for a role, select Edit, Hide, or Read in the Permissions column.
  42. Click Next to go to the Step 3, Review and Submit.

    add-traffic-steering-policy-review-submit-tab-border.png
     
  43. In the General box, enter a name for the traffic steering policy, and optionally enter a text description for the policy and one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
  44. Review the settings you have selected. Click the pencil-icon-blue-on-white-22.png Edit icon to change a setting, as needed.
  45. Click Save to create the traffic steering policy.

Supported Software Information

Releases 10.2.1 and later support all content described in this article, except:

  • Release 12.1.1 adds support for the Negate Source Address and Negate Destination Address options when configuring a traffic-steering rule.