ScreenOS Cookbook by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa

The primary goal of a network device is to provide a network path for traffic from one host to another. This goal can be achieved in many different ways, including via static routing, or via dynamic routing protocols such as Open Shortest Path First (OSPF) or the Border Gateway Protocol (BGP). The ability to control the network path using these methods is limited, however, because the path is usually based on the packet’s destination IP address. Another option is to use source-based routing. Although with source-based routing you can base the decisions on the packet’s source IP address, the network device still sends all traffic from that source address. Furthermore, using these conventional routing methods, you cannot control the traffic based on the packet’s deeper headers, such as the Transmission Control Protocol/ User Datagram Protocol (TCP/UDP) header. As an alternative, you can use policy-based routing (PBR), which enables you to control the network path based on the five tuples: source IP, source port, destination IP, destination port, and protocol. PBR also enables you to route traffic based on the Type of Service (ToS) bits on the IP packet.

This ability to control the network path based on the IP header and the TCP/UDP header gives you the flexibility to route traffic differently for each application. A user’s experience could depend on the application he is using and how the traffic is forwarded (e.g., using high-speed ...