rule (Advanced Policy-Based Routing)
Syntax
rule rule-name {
disable-midstream-routing;
match {
category (juniper-enhanced-category | custom-category);
dynamic-application [system-application | any];
dynamic-application-group [system-application-group];
dscp dscp-value;
}
then {
application-services-bypass;
}
}
Hierarchy Level
[edit security advance-policy-based-routing
profile profile-name]
Release Information
Statement introduced in Junos OS Release
15.1X49-D60. The option category is introduced in Junos
OS Release 18.3R1. Junos OS Release 19.3R1 supports the option dscp. Junos OS Release 20.1R1 supports the option any for dynamic-application.
Description
Configure rules for the advanced policy-based routing
(APBR) profile (application profile). Associate the rule with one
or more than one dynamic applications or application groups or URL
categories as follows:
For matching the dynamic applications, APBR consults the
application identification (AppID) and application system cache (ASC)
to get the application type. If the application matches any of the
application or application groups of a rule in a profile, the application
profile rule is considered to be a match, and the traffic is redirected
to the defined routing instance for the route lookup.
You can use a DSCP value in an APBR rule as a matching
criteria to perform advanced policy-based routing on the traffic with
DSCP markings. You can use the DSCP value in addition to the dynamic
applications in an APBR rule.
For matching the URL categories, APBR leverages category
identification from the Enhanced Web Filtering (EWF) and local Web
filtering results obtained from the unified threat management (UTM)
module. Web filtering classifies websites into categories. If the
traffic matches the URL categories specified in the rule of the APBR
profile, it is redirected to the defined routing instance.
Options
disable-midstream-routing—Selectively disable APBR in the middle of a session for a specific
APBR rule.
match—Define a match
criteria for matching the traffic in APBR profile rule.
category (juniper-enhanced-category | custom-category)—Define the category type as the Juniper Enhanced Web Filtering (EWF)
or a custom category if you are using local Web filtering.
juniper-enhanced-category—Define URL categories such as Enhanced_Social_Web_Facebook,
Enhanced_Social_Web_Linkedin, Enhanced_Social_Web_Twitter or Enhanced_Social_Web_Youtube
as match criteria in APBR profile rule.
custom-category—Define either custom URL or IP address of a site as
match criteria in APBR profile rule.
dynamic-application [system-application | any]—Specify the dynamic application
names for match criteria in APBR rule.
dynamic-application-group [system-application-group]—Dynamic application groups for match
criteria in APBR rule.
dscp [dscp-value]—Specify DSCP value as match criteria in APBR rule.
then—Define the action
for the match condition by specifying the routing instance name.
application-services-bypass—Bypass applying the application services on the traffic matching
the APBR rule. As URL category-based routing enables you to identify
and selectively route Web traffic (HTTP and HTTPS) to a specified
destination or to another device where further inspection, you can
select not to apply or bypass application services on the same session.
You can select to exclude traffic from security services when additional
throughput is required, or traffic is going from trusted device to
another trusted device.
routing-instance name—Name of the routing instance for redirecting traffic.
Required Privilege Level
services—To view this statement in the
configuration.
services-control—To add this statement to the configuration.
