App-based Routing

10/14/2021 39 People found this article helpful 479,741 Views

Description

App-Based Routing is a kind of PBF (policy-based forwarding) rule that allows traffic to take an alternative path from the next hop specified in the route table and is typically used to specify an egress interface for security or performance reasons.

When an App-Based Route entry is created, at the beginning the security appliance does not have enough information to identify the application and, therefore, cannot enforce the route entry. As more packets arrive, the security appliance determines the application and creates an internal entry in the App-ID cache, which is retained for the session. When a new session is created with the same destination IP address, destination port, and protocol ID, the security appliance could identify the application as the same from the initial session and apply the App Based Route. Therefore, a session that is not an exact match and is not the same application, cannot be forwarded based on the App-Based Route.

This feature is available on all firmware versions post 6.5.2.1.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

NOTE: This feature is available only when Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization is licensed and App Control is enabled under POLICY | Security Services | App Control.

To configure an App-based route entry:

For example, Let us create a route for the Skype application. You can also do this for a complete application category or a single application signature as well based on the Match object added. We need to route all traffic for Skype application through X1 WAN connection.

Navigate to OBJECT | Match Objects | Match Objects.
Click Add. The Match Object Settings dialog displays.
Add the Skype application or the application as per your requirement.

|
Click Save.
Navigate to POLICY | Rules and Policies | Routing Rules to create a new policy.
Click on Add and a window to add a new route policy will pop up.
Select the option "App" and then from the drop down select the "App Object".
Click on Next Hop.
Select the Interface, Gateway and Metric as per your requirement.
Click Save.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

NOTE: This feature is available only when Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization is licensed and App Control is enabled under MANAGE | Policies | Rules | App Control.

To configure an App-based route entry:

For example, Let us create a route for the Skype application. You can also do this for a complete application category or a single application signature as well based on the Match object added. We need to route all traffic for Skype application through X1 WAN connection.

Navigate to MANAGE | Policies | Objects | Match Objects.
From Add, select Match Object. The Create Match Object dialog displays.
Add the Skype application or the application as per your requirement.
Click OK.
Navigate to MANAGE | System Setup | Network| Routing to create the route policy. The chronology of steps for creating this is given in the screenshot below.