I have two isps, Frontier and Spectrum.  My Frontier connection is a 1 gbps fiber optic connection and Spectrum is 450 mbps cable.  For obvious reasons, I want most traffic to prefer the Frontier connection.  There is a Palo Alto Firewall connected to both ISPs and my local network.  It serves as my firewall and default gateway for all the hosts on my lan.

Here's where the problem comes into play.  My TVs are smart and have the Spectrum TV app.  This application lets Spectrum subscribers view Spectrum TV over the internet.  However, Spectrum only offers a subset of channels if you're not on the Spectrum network.  The solution is to policy route the Spectrum App destinations over the Spectrum ISP.  However, here's where the trouble lies.  These destinations are not static and the application itself seems to add additional destinations with each update.  Try as I might to capture all the destinations in a group and policy route those destinations, inevitably, something is missed and I get the limited list of channels. 

The solution is to use a dynamic address group as the source for the policy based forwarding rule.  

The primary url that the app uses is "watch.spectrum.net".  I've defined this a FQDN in an address object.  Next, I built a TagAsTelevision Log Forwarding Profile, with the Built-In Action as a Tag as Televison with an expiry of 30 minutes.

Next, I created an access rule with the source being my local lan, destination as "watch.spectrum.net", action allow, with the log forwarding profile at log at session start with the TagAsTelevision log forwarding profile.

Next I created a address group object as type dynamic named TVs with match criteria being 'Televison' which was the Tag action from the Log Forwarding Profile. 

Finally, I created a policy based forwarding rule with the Source as TVs to egress through the Spectrum ISP by setting the nexthop as the Spectrum router ip.

In summary, the logic goes like this, if any device on my local network requests the FQDN "watch.spectrum.net" the allow rule triggers a log forwarding profile that Tag's the Source as a Televison.  Objects with that Tag are matched by dynamic address group TVs.  TVs are policy based forwarded to Spectrum ISP.   If the request to "watch.spectrum.net" doesn't happen for 30 minutes, the tag expires and the source routes normally out the Frontier ISP.

This allows for the TVs to use Netflix, Max, Hulu, etc. through the faster isp.  But if someone wants to watch Spectrum TV the ISP switches to Spectrum automatically.

This solution is a creative use of a feature that was designed as a method of tagging malicious traffic.  The premise is this, malicious traffic is sent via a log forwarding profile that marks the sources with a tag.  A dynamic address group can be created to match that tag.  This tag can be used to block sources that have been marked with that tag. 

For example, ip addresses that hit a honey pot destination as an allow rule with a log profile that tags the sources. This Tag can be used in a dynamic address group to block further access from that group by creating a drop rule with that dynamic address group as the source.

Similarly, this could be a URL filtering rule with the category "command-and-control" that tags hosts as "infected"  and then subsequent rules could block all access from "infected".

In summary, the solution doesn't care if the traffic is malicious or benign, the logic is the same, tag traffic, then do something with the tagged traffic.