Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


rule (Advanced Policy-Based Routing)



Hierarchy Level

[edit security advance-policy-based-routing profile profile-name]

Release Information

Statement introduced in Junos OS Release 15.1X49-D60. The option category is introduced in Junos OS Release 18.3R1. Junos OS Release 19.3R1 supports the option dscp. Junos OS Release 20.1R1 supports the option any for dynamic-application.


Configure rules for the advanced policy-based routing (APBR) profile (application profile). Associate the rule with one or more than one dynamic applications or application groups or URL categories as follows:

  • For matching the dynamic applications, APBR consults the application identification (AppID) and application system cache (ASC) to get the application type. If the application matches any of the application or application groups of a rule in a profile, the application profile rule is considered to be a match, and the traffic is redirected to the defined routing instance for the route lookup.

  • You can use a DSCP value in an APBR rule as a matching criteria to perform advanced policy-based routing on the traffic with DSCP markings. You can use the DSCP value in addition to the dynamic applications in an APBR rule.

  • For matching the URL categories, APBR leverages category identification from the Enhanced Web Filtering (EWF) and local Web filtering results obtained from the unified threat management (UTM) module. Web filtering classifies websites into categories. If the traffic matches the URL categories specified in the rule of the APBR profile, it is redirected to the defined routing instance.


disable-midstream-routingSelectively disable APBR in the middle of a session for a specific APBR rule.
matchDefine a match criteria for matching the traffic in APBR profile rule.
category (juniper-enhanced-category | custom-category)Define the category type as the Juniper Enhanced Web Filtering (EWF) or a custom category if you are using local Web filtering.
juniper-enhanced-categoryDefine URL categories such as Enhanced_Social_Web_Facebook, Enhanced_Social_Web_Linkedin, Enhanced_Social_Web_Twitter or Enhanced_Social_Web_Youtube as match criteria in APBR profile rule.
custom-categoryDefine either custom URL or IP address of a site as match criteria in APBR profile rule.
dynamic-application [system-application | any]Specify the dynamic application names for match criteria in APBR rule.
dynamic-application-group [system-application-group]Dynamic application groups for match criteria in APBR rule.
dscp [dscp-value]Specify DSCP value as match criteria in APBR rule.

Range: 0-63

thenDefine the action for the match condition by specifying the routing instance name.
application-services-bypassBypass applying the application services on the traffic matching the APBR rule. As URL category-based routing enables you to identify and selectively route Web traffic (HTTP and HTTPS) to a specified destination or to another device where further inspection, you can select not to apply or bypass application services on the same session. You can select to exclude traffic from security services when additional throughput is required, or traffic is going from trusted device to another trusted device.
routing-instance nameName of the routing instance for redirecting traffic.

Required Privilege Level

services—To view this statement in the configuration.

services-control—To add this statement to the configuration.