05/06/2020 3 2517
App-Based Routing is a kind of PBF (policy-based forwarding) rule that allows traffic to take an alternative path from the next hop specified in the route table and is typically used to specify an egress interface for security or performance reasons.
When an App-Based Route entry is created, at the beginning the security appliance does not have enough information to identify the application and, therefore, cannot enforce the route entry. As more packets arrive, the security appliance determines the application and creates an internal entry in the App-ID cache, which is retained for the session. When a new session is created with the same destination IP address, destination port, and protocol ID, the security appliance could identify the application as the same from the initial session and apply the App Based Route. Therefore, a session that is not an exact match and is not the same application, cannot be forwarded based on the App-Based Route.
This feature is available on all firmware versions post 22.214.171.124.
NOTE: This feature is available only when Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization is licensed and App Control is enabled in MANAGE | Policies > Rules > App Control.
To configure an App-based route entry:
For example, Let us create a route for the Skype application. You can also do this for a complete application category or a single application signature as well based on the Match object added. We need to route all traffic for Skype application through X1 WAN connection.
Navigate to MANAGE | Policies > Objects > Match Objects.
From Add, select Match Object. The Create Match Object dialog displays.
- Add the Skype application or the application as per your requirement
- Click on OK
- Navigate to MANAGE | System Setup > Network > Routing to create the route policy. The chronology of steps for creating this is given in the screenshot below