SD-WAN

I am having a hard time setting up a granular policy for the microbranch. I followed techdocs esp-sd-branch-deploy-100-L3-Microbranch (Optional) Routed Layer 3 Full-Tunnel Configuration (see below), without success

https://www.arubanetworks.com/techdocs/VSG/docs/080-sd-branch-deploy/esp-sd-branch-deploy-100-L3-Microbranch/#optional-routed-layer-3-full-tunnel-configuration

What keeps happening is that despite defining that only certain applications are allowed everything is still able to pass though except for ICMP echo.

I defined a PBR policy

 In the PBR policy I added two datacenter subnets

I defined a policy for the SSID I was testing

I also changed per the document the tunnels & routing datacenter settings.

I am running the correct code.

With these settings, users of the SSID are still able to browse the internet. What I wanted to achieve is that users would be able to access datacenter servers as well as use Microsoft Teams, but not be able to browse the internet. Is this possible? What am I doing wrong?

From the PBR screenshot you shared, it looks like you want to allow only 10.0.0.0/24 and 192.168.25.0/24 network to the data center. From the Rules under the user role - there should be ACL(s) to block any other traffic which is missing. 

For the user role - Try by adding ACL rules to allow networks 10.0.0.0/24 and 192.168.25.0/24 as well as Microsoft teams applications. Then add an ACL rule to deny everything else followed by the PBR assignment. With this, the AP first processed the ACL rules (what traffic are allowed or denied) and proceeds to PBR (which determines where the traffic should be directed to)

I am having a hard time setting up a granular policy for the microbranch. I followed techdocs esp-sd-branch-deploy-100-L3-Microbranch (Optional) Routed Layer 3 Full-Tunnel Configuration (see below), without success

https://www.arubanetworks.com/techdocs/VSG/docs/080-sd-branch-deploy/esp-sd-branch-deploy-100-L3-Microbranch/#optional-routed-layer-3-full-tunnel-configuration

What keeps happening is that despite defining that only certain applications are allowed everything is still able to pass though except for ICMP echo.

I defined a PBR policy

 In the PBR policy I added two datacenter subnets

I defined a policy for the SSID I was testing

I also changed per the document the tunnels & routing datacenter settings.

I am running the correct code.

With these settings, users of the SSID are still able to browse the internet. What I wanted to achieve is that users would be able to access datacenter servers as well as use Microsoft Teams, but not be able to browse the internet. Is this possible? What am I doing wrong?