Rules by IP address and port number

Using the configuration editor, you can create rules for traffic flows and associate the rules with applications and classes. You can specify criteria to filter traffic for a flow, and can apply general behavior, LAN to WAN behavior, WAN to LAN behavior, and packet inspection rules.

For most purposes, the starting point for defining QoS policies is application rules. For more information, see Rules by application name.

To create IP rules:

  1. In the SD-WAN Configuration Editor, navigate to Global > Virtual Path Default Sets.

  2. Click Add Default Set, enter a name for the default set, and click Add. In the Section field, select Rules and click +.

  3. In the Order field, enter the order value to define when the rule is applied in relation to other rules.

  4. In the Rule Group Name field, select a rule group. The statistics for rules with the same rule group will be grouped and can be viewed together.

    For viewing rule groups, navigate to Monitoring > Statistics, and in the Show field select Rule Groups.

    You can also add custom applications. For more information, see Add Rule Groups and Enable MOS.

  5. In the Routing Domain field, choose one of the configured routing domains.

  6. You can define rule matching criteria to filter services based on the parameters listed below. After the filtering, the rule settings are applied to the services matching these criteria.

    • Source IP Address: Source IP address and the subnet mask to match against the traffic.

    • Destination IP Address: Destination IP address and the subnet mask to match against the traffic.


      Select Dest=Src, if the source and destination IP address are the same.

      • Protocol: Protocol to match against the traffic.
    • Source Port: Source port number or port range to match against the traffic.

    • Destination Port: Destination port number or port range to match against the traffic.

    • DSCP: The DSCP tag in the IP header to match against the traffic.

    • VLAN: The VLAN ID to match against the traffic.

  7. Click the add (+) next to the new rule.

  8. Click Initialize Properties Using Protocol to initialize the rule properties by applying the rule defaults and recommended settings for the protocol. This populates the default rule settings. You can also customize the settings manually, as shown in the following steps.

  9. Click the WAN General tile to configure the following properties.

    • Transmit Mode: Select one of the following transmit modes.

      • Load Balance Path: Traffic for the flow will be balanced across multiple paths for the service. Traffic is sent through the best path until that path is used. Leftover packets are sent through the next best path.

      • Persistent Path: Traffic for the flow remains on the same path until the path is no longer available.

      • Duplicate Path: Traffic for the flow is duplicated across multiple paths, increasing reliability.

      • Override Service: Traffic for the flow overrides to a different service. In the Override Service field, select the service type to which the service overrides. For example, a virtual path service could override to an intranet, internet, or pass-through service.

    • Retransmit Lost Packets: Send traffic that matches this rule to the remote appliance over a reliable service and retransmit lost packets.

    • Enable TCP Termination: Enable TCP termination of traffic for this flow. The round-trip time for acknowledgement of packets is reduced, and therefore improves throughput.

    • Preferred WAN Link: The WAN link that the flows should use first.

    • Persistent Impedance: The minimum time in milliseconds for which the traffic would remain in the same path, until wait time on which the path is longer than the configured value.

    • Enable IP, TCP, and UDP: Compress headers in IP, TCP, and UDP packets.

    • Enable GRE: Compress headers in GRE packets.

    • Enable Packet Aggregation: Aggregate small packets into larger packets.

    • Track Performance: Records performance attributes of this rule in a session data base (for example, loss, jitter, latency, and bandwidth).

      localized image

  10. Click the LAN to WAN tile, to configure LAN to WAN behavior for this rule.

    • Class: Select a class with which to associate this rule.


      You can also customize classes before applying rules, for more information, see How to Customize Classes.

    • Large Packet Size: Packets smaller than or equal to this size are assigned the Drop Limit and Drop Depth values specified in the fields to the right of the Class field.

      localized image

      Packets larger than this size are assigned the values specified in the default Drop Limit and Drop Depth fields in the Large Packets section of the screen.

      localized image

    • Drop Limit: Length of time after which packets waiting in the class scheduler are dropped. Not applicable for a bulk class.

    • Drop Depth: Queue depth threshold after which packets are dropped.

    • Enable RED: Random Early Detection (RED) ensures fair sharing of class resources by discarding packets when congestion occurs.

    • Reassign Size: Packet length that, when exceeded, causes the packet to be reassigned to the class specified in the Reassign Class field.

    • Reassign Class: Class used when the packet length exceeds the packet length specified in the Reassign Size field.

    • Disable Limit: Time for which duplication can be disabled to prevent duplicate packets from consuming bandwidth.

    • Disable Depth: The queue depth of the class scheduler, at which point the duplicate packets will not be generated.

    • TCP Standalone ACK class: High priority class to which TCP standalone acknowledgements are mapped during large file transfers.

      localized image

  11. Click the WAN to LAN tile to configure WAN to LAN behavior for this rule.

    • Enable Packets Resequencing: Sequences the packets into the correct order at the destination.

    • Hold Time: Time interval for which the packets are held for resequencing, after which the packets are sent to the LAN.

    • Discard Late Resequencing Packets: Discard out-of-order packets that arrived after the packets needed for resequencing have been sent to the LAN.

    • DSCP Tag: DSCP tag applied to the packets that match this rule, before sending them to the LAN.

      localized image

  12. Click Deep Packet Inspection tile and select Enable Passive FTP Detection to allow the rule to detect the port used for FTP data transfer and automatically apply the rule settings to the detected port.

  13. Click Apply.


Save the configuration, export it to the change management inbox, and initiate the change management process.

For more information on QoS rule guidelines and default rules breakdown, see the support article Citrix SD-WAN QOS and Application Rules.

Rules by IP address and port number