Beginning with Junos 15.1X49-D60, Application Identification (AppID) supports policy-based routing called Advanced Policy-Based Routing (APBR). This article provides an example of how to configure and verify APBR using a custom application signature.
Topology

SRX has two routes to reach the HTTP server in this topology. One is via the blue route, which is the default route, and another is via the red route. In order to avoid traffic congestion, SRX can forward traffic based on an application signature to a preferred route by using a feature called APBR.
The AppID signature contains a major application as a predefined application. However, if the application is specific to your environment, a custom AppID signature can be created to distinguish the application on SRX.
For details of APBR, see Understanding Advanced Policy-Based Routing.
Goal
To forward HTTP traffic accessing ‘http://abc123.com’ by using APBR with a custom application signature
Prerequisite
An AppID license is required to configure the custom AppID signature. Verify that the license is installed in SRX with the command, show system license
.
root> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
appid-sig 0 1 0 2017-11-24 00:00:00 UTC
For information about AppID license, refer to Understanding the Junos OS Application Package Installation.
Configuration
-
Define a custom signature.
Example: Create 'custom-http'
set services application-identification application custom-http cacheable
set services application-identification application custom-http over HTTP signature s1 member m01 context http-header-host
set services application-identification application custom-http over HTTP signature s1 member m01 pattern ".*abc123.*"
set services application-identification application custom-http over HTTP signature s1 member m01 direction client-to-server
Note that APBR requires an application cache to work, so remember to configure the "cacheable
" command. This is the blue text in the example above.
Notes:
- Regular expressions can be used to define patterns. For example, pattern ".*abc123.*" will match "abc123.com" or "www.abc123.net" etc.
- In configuration, the Context, http-header-host, checks the string in "Host" in the http get command.
- For troubleshooting, if SRX does not block the URL in spite of the custom signature being configured, collect the packet capture and check that the string written in pattern is included in "Host".

For more details, refer to Example: Configuring Junos OS Application Identification Custom Application Signatures.
-
Configure APBR and related configurations.
Create an APBR profile:
set security advance-policy-based-routing profile p1 rule r1 match dynamic-application custom-http
set security advance-policy-based-routing profile p1 rule r1 then routing-instance R1
Create a routing instance and import route from inet0 to R1:
set routing-instances R1 instance-type forwarding
set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options interface-routes rib-group inet apbr_group
set routing-options rib-groups apbr_group import-rib inet.0
set routing-options rib-groups apbr_group import-rib R1.inet.0
Apply the APBR profile to a security zone:
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust advance-policy-based-routing-profile p1
Here is the rest of the configuration for SRX in this topology, for reference:
set interfaces ge-0/0/2 unit 0 family inet address 192.168.50.254/24
set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.254/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.0.254/24
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust interfaces ge-0/0/5.0
set security policies from-zone trust to-zone untrust policy tr-un match source-address any
set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
set security policies from-zone trust to-zone untrust policy tr-un match application anycation
The command show security advance-policy-based-routing statistics
displays the statistics counter for APBR.
root> show security advance-policy-based-routing statistics
Advance Profile Based Routing statistics:
Session Processed: 5529
ASC Success: 3113
Rule match success: 107 <<< When SRX detects application traffic matches APBR profile, this counter will increase.
Route modified: 107
AppID Requested: 2416
Also, the command show security flow session
might help you to see whether or not the specific traffic is sent from the expected interface.
root> show security flow session
Session ID: 279004, Policy name: tr-mg/6, Timeout: 298, Valid
In: 192.168.50.1/52529 --> 172.27.117.198/80;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 10, Bytes: 3241,
Out: 172.27.117.198/80 --> 192.168.0.30/32368;tcp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 9, Bytes: 3577,
2018-09-28: Configuration corrected in Solution; a few other minor (non-technical) modifications made