Citrix SD-WAN Orchestrator

QoS policies

An administrator can define application and traffic policies. These policies help to enable traffic steering, Quality of Service (QoS), and filtering capabilities for applications. Specify whether a defined rule can be applied globally across all the sites in the network or on certain specific sites.

Policies are defined in the form of multiple rules which get applied in the user-defined order.

Network config policies

Create new rule

An administrator needs to place the defined rule based on the priority. The priorities such as Top of the List, Bottom of the List, or in between two existing entries.

It is recommended to have more specific rules for applications or sub applications at the top, followed by less specific rules for the ones representing broader traffic.

For example, you can create specific rules for both Facebook Messenger (sub application) and Facebook (application). Put a Facebook Messenger rule on top of the Facebook rule so that the Facebook Messenger rule gets selected. If the order is reversed, Facebook Messenger being a subapplication of the Facebook application, the Facebook Messenger rule would not get select. It is important to get the order right.

Match criteria

Select traffic for a defined rule such as:

  • An application
  • Custom defined application
  • Group of applications or IP protocol based rule

Rule scope

Specify whether a defined rule can be applied globally across all the sites in the network or on certain specific sites.

Application steering

Specify how the traffic needs to be steered.

QoS policies

+ New Custom App: Select a match criteria from the list. The administrator can add new custom application by giving a name to:

  • Custom application
  • protocol (such as TCP, UDP, ICMP)
  • Network IP/Prefix
  • port
  • DSCP tag

You can also create a domain name based custom application.

Custom app domain

Click Verify Config to validate any audit error.

IP Rules

You can create global and site-specific IP rules at the network level by navigating to Configuration > QoS > QoS Policies.

  • IP Protocol Match Criteria

    • Add/Remove Sites: (available only while creating site-specific IP rule) Select the sites, click Review, and Done.
    • Source Network: The source IP address and subnet mask that the rule matches.
    • Destination Network: The destination IP address and subnet mask that the rule matches.
    • Use IP Group: Select the Use IP Group check box to choose any existing IP group from the drop-down list.
    • Src = Dst: If selected, the source IP address is also used for the destination IP address.
    • Source Port: The source port (or source port range) that the rule matches.
    • Destination Port: The destination port (or destination port range) that the rule matches.
    • Src = Dst: If selected, the source port is also used for the destination port.
    • IP Protocol: The protocol that the rule matches.
    • DSCP: The DSCP tag in the IP header that the rule matches.
    • Routing Domain: The routing domain that the rule matches.
    • VLAN ID: Enter the VLAN ID for the rule. The VLAN ID identifies the traffic to and from the virtual interface. Use VLAN ID as 0 to designate native or untagged traffic.
    • Rebind Flow On Change: When selected, flows that are otherwise identical in terms of match criteria are treated as separate if their DSCP fields differ.
  • Traffic Policy

    • Virtual Path Remote Site: Select the virtual path for the remote site.
    • Traffic Policy: Choose one of the following traffic policies as needed.
      • Load Balance Paths: Application traffic for the flow is balanced across multiple paths. Traffic is sent through the best path until that path is used. The remaining packets are sent through the next best path.
      • Persistent Paths: Application traffic remains on the same path until the path is no longer available.
      • Duplicate Paths: Application traffic is duplicated across multiple paths, increasing reliability.
  • QoS Settings

    • Transfer Type: Choose one of the following transfer types:
      • Realtime: Used for low latency, low bandwidth, time-sensitive traffic. Real-time applications are time-sensitive but don’t really need high bandwidth (for example voice over IP). Real-time applications are sensitive to latency and jitter but can tolerate some loss.
      • Interactive: Used for interactive traffic with low to medium latency requirements and low to medium bandwidth requirements. The interaction is typically between a client and a server. The communication might not need high bandwidth but is sensitive to loss and latency.
      • Bulk: Used for high bandwidth traffic and applications that can tolerate high latency. Applications that handle file transfer and need high bandwidth are categorized as a bulk class. These applications involve little human interference and are mostly handled by the systems themselves.
    • Priority: Choose a priority for the selected transfer type.
  • Internet Traffic Policy

    • Select the Enable Internet Policy check box to configure internet traffic policy.
    • Mode: The method of transmitting and receiving packets for flows that match the rule. You can choose Override Service or WAN link as needed.
    • WAN link: The WAN link to be used by flows matching the rule when Internet Load Balancing is enabled.
    • Override Service: The destination service for flows matching the rule.

IP rules

Click Save to save the configuration settings. Click Verify Config to validate any audit error.

QoS profiles

The Quality of Service (QoS) section helps to create the QoS profile by using the + QoS Profile option. The QoS profile provides improved service to certain traffic. The goal of QoS is to provide priority including traffic type (Real-time, Interactive, and Bulk classes) and dedicated bandwidth. The bandwidth breakups are available in % values. This also improved loss characteristics.

QoS policy profile

Click Verify Config to validate any audit error.

HDX profiles

HDX incorporates advanced optimization and acceleration capabilities to deliver the best performance over any network, including low-bandwidth and high-latency WAN connections.

HDX profile

HDX profiles, along with HDX rules allow to optimize HDX traffic. You can view the following three default profiles:

  1. Global Default: The Global profile is active for all the sites by default.

    • The Global Default profile now enables single stream HDX globally in the initial case. This profile supports Single-stream or Multi-stream QoS for HDX, depends on the QoS profile selection.

      • If the selected QoS profile is Standard (default case), then the global default profile is single stream HDX. In this case, multi-stream QoS for HDX check box is cleared and the profile mode is single-Stream.

      • If the selected QoS profile is HDX, then multi-stream QoS and Deep packet inspection (DPI) are enabled.


    • To view the QoS profile selection, go to Configuration > QoS > QoS profiles.

    QOS profile selection

    You can also view the Global QoS Bandwidth Default Profile under Global Rules in QoS policies and under HDX rules in the global rules section.

    Global QoS Bandwidth Default

    • You can provide up to five HDX IP and port range.
    • No other settings can be modified.

    Only the Global Default is a global profile and other profiles are the site level which can override the global profile. So if you want to enable the single stream HDX mode for all the sites in the network, you must make the changes in the global profile. This ensures that this setting is not only applicable to all the available sites but also to any newly added sites.

    The available site can be attained by adding all sites to the single-stream profile that essentially overrides the global profile at all existing sites.

  2. HDX disabled: Both DPI and multi-stream QoS for HDX are disabled. You can add sites to this profile.

  3. HDX Single Stream: Multi-stream QoS is disabled. You can add sites to this profile.


The default profiles (Global Default, HDX Disabled, and HDX Single Stream) cannot be deleted.

Either value in a Custom HDX IP-Port Pair or Sites, can be empty (but not both) for all the profiles where you can provide an IP-port pair. Independent Computing Architecture (ICA) ports 1494 and 2598 are not allowed (either by themselves or in range: true for all port fields in HDX profiles). This limitation is applicable to all profiles where ports can be added.

A site can only be part of a single profile. The Global Default profile is applicable to all sites which are not part of any other profile.

The Global Default, HDX Disabled, and HDX Single Stream profiles are also known as Profile Modes.

You can only create new profiles of HDX Multi-Stream type. For any other behavior (for example – HDX single-stream), use the default profile.

HDX multi-stream

You can specify the site names and IP and Port pairs for all three profiles. The IP-Port Pair option is available only if the profile mode is HDX Multi-Stream.

While creating site level HDX rules (under QoS Policies), you need to select the Site HDX Profile Mode.

Site HDX profile mode

Based on this selection, all the sites that fall under the Profile Mode are available for selection for the rule.

QoS policies