Understanding Application-Based Routing
The relentless growth of voice, data, and video traffic and applications traversing the network requires that networks recognize traffic types to effectively prioritize, segregate, and route traffic without compromising performance or availability. SRX Series Services Gateways support advanced policy-based routing (APBR), also known as application-based routing, to address these requirements.
APBR Monitoring Widget is not supported in Security Director.
APBR is a type of session-based, application-aware routing. This mechanism combines policy-based routing with an application-aware traffic management solution. APBR implies classifying flows based on the attributes of the applications and applying filters based on these attributes to redirect the traffic. The flow-classifying mechanism is based on packets representing the application in use.
APBR implements:
Deep packet inspection (DPI) and pattern-matching capabilities of application identification to identify application traffic or a user session within an application
Lookup in the application system cache (ASC) for application type and the corresponding destination IP address, destination port, protocol type, and service for a matching rule
If a matching rule is found, the traffic is directed to an appropriate route and the corresponding interface or device.
APBR provides the following advantages:
Enables you to define the routing behavior based on application attributes.
Extends the scope of static routes by providing more flexible traffic-handling capabilities by offering granular control for forwarding packets based on application attributes.
APBR involves the following workflow:
Creating an APBR profile (also referred to as an application profile in this document) that will match the type of traffic that you are going to direct to a different next hop. The profile includes multiple rules. Each rule can contain multiple applications or application groups. If the application matches any of the application or application groups of a rule in a profile, the application profile rule is considered as a match.
Associating a routing instance with the application profile rule. When the traffic on the ingress zone and interface matches an application profile, the associated static route and next hop defined in the routing instance are used to route the traffic for the particular session.
Associating the application profile to the ingress traffic. The application profile can be attached to a security zone or it can be attached to a specific logical or physical interface associated with the security zone. If the application profile is applied to a security zone, then all interfaces belonging to that zone are attached to the application profile by default unless a specific configuration already exists for that interface.
Figure 1 shows the sequence in which APBR techniques are applied.
The following procedure explains the application-based routing:
APBR evaluates the packets based on incoming interface to determine whether the session is a candidate for application-based routing. If the traffic has not been flagged for application-based routing, it undergoes normal processing (non-APBR route).
If the session needs application-based routing, APBR queries the application system cache (ASC) module to get the application attributes details (IP address, destination port, protocol type, and service).
If the application is found, it is further processed for a matching rule in the APBR profile (see Step 3).
APBR uses the application details to look for a matching rule in the APBR profile (application profile). If a matching rule is found, the traffic is redirected to the specified routing instance for route lookup.