Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Predefined Application Signatures for Application Identification

Predefined application signature package is a dynamically loadable module that provides application classification functionality and associated protocol attributes. It is hosted on an external server and can be downloaded as a package and installed on the device. For more information, see the following topics:

Understanding the Junos OS Application Package Installation

Juniper Networks regularly updates the predefined application signature package database and makes it available to subscribers on the Juniper Networks website. This package includes signature definitions of known application objects that can be used to identify applications for tracking, firewall policies, quality-of-service prioritization, and Intrusion Detection and Prevention (IDP). The database contains application objects such as FTP, DNS, Facebook, Kazaa, and many instant messenger programs.

You need to download and install the application signature package before configuring application services. The application signature package is included in the IDP installation directly and does not need to be downloaded separately.

  • If you have IDP enabled and plan to use application identification, you can continue to run the IDP signature database download. To download the IDP signature database, run the following command: request security idp security-package download. The application package download can be performed manually or automatically. See Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.

    Note:

    If you have an IDP-enabled device and plan to use application identification, we recommend that you download only the IDP signature database. This will avoid having two versions of the application database, which could become out of sync.

  • If you do not have IDP enabled and plan to use application identification, you can run the following commands: request services application-identification download and request services application-identification install. These commands will download the application signature database and install it on the device.

    You can perform the download manually or automatically. When you download the extracted package manually, you can change the download URL.

    After downloading and installing the application signature package, use CLI commands to download and install database updates, and view summary and detailed application information.

    See Downloading and Installing the Junos OS Application Signature Package Manually or Example: Scheduling the Application Signature Package Updates.

    Note:

    The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content but you cannot update the data.

    Note:

    Starting from Junos OS Release 15.1X49-D50 and Junos OS Release 17.3, when you upgrade or downgrade an application signature package, an error message is displayed if there is any mismatch of application IDs (unique ID number of an application signature) between proto bundles and these applications are configured in AppFW and AppQoS rules.

    Example:

    As a workaround, disable the AppFW and AppQoS rules before upgrading or downgrading an application signature package. You can reenable AppFW and AppQoS rules once the upgrade or downgrade procedure is complete.

    Note:

    On all security devices, J-Web pages for AppSecure Services are preliminary. We recommend using the CLI for configuration of AppSecure features.

Note:

This feature requires a license. To understand more about Junos OS application signature package, Please refer to the Juniper Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.

Upgrading to Next-Generation Application Identification

Starting from Junos OS Release 12.1X47-D10, next-generation application identification is supported. You must install Junos OS Release 12.1X47-D10 to migrate from existing, or legacy, application identification to next-generation application identification.

Security devices installed with Junos OS builds with legacy application identification include legacy application identification security packages. When you upgrade these devices with Junos OS Release 12.1X47-D10, the next-generation application identification security package is installed along with the default protocol bundle. The device is automatically upgraded to next-generation application identification.

Note:
  • The next-generation application identification security package introduces incremental updates to the legacy application identification package. You are not required to remove or uninstall any existing applications.

  • Applications supported in previous releases (Junos OS Release 12.1X46 or prior) might have new aliases or alternative names in the new version. So existing configurations using such application work in Junos OS Release 12.1X47; however, related logs and other information will use the new name. You can use the show services application-identification application detail new-application-name command to get the details of the applications.

  • When you upgrade Junos OS, you can include the validate or no-validate options with the request system software add command. Because the existing features, which are not part of next-generation application identification, are deprecated, incompatibility issues are not seen.

  • Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as normal applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored with warning messages.

Installing and Verifying Licenses for an Application Signature Package

The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content.

Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. These instructions assume that you already have the license. If you did not order the license during the purchase of the device, contact your account team or Juniper customer care for assistance. For more information, refer to the Knowledge Base article KB9731 at https://kb.juniper.net/InfoCenter/index?page=home.

Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX1500 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.

Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX300, SRX320, SRX340, and SRX345 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.

Starting from 15.1X49-D65 and Junos OS Release 17.3R1, on SRX4100, and SRX4200 devices, AppSecure is part of Junos Software Enhanced (JSE) license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.

Junos Software Base (JSB) package does not include application signatures. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.

You can install the license on the SRX Series Firewall using either the automatic method or manual method as follows:

  • Install your license automatically on the device.

    To install or update your license automatically, your device must be connected to the Internet .

  • Install the licenses manually on the device.

    Paste the license key and press Enter to continue.

  • Verify the license is installed on your device.

    Use the show system license command command to view license usage, as shown in the following example:

    The output sample is truncated to display only license usage details.

Downloading and Installing the Junos OS Application Signature Package Manually

This example shows how to download the application signature package, create a policy, and identify it as the active policy.

Requirements

Before you begin:

  • Ensure that your security device has a connection to the Internet to download security package updates.

    Note:

    DNS must be set up because you need to resolve the name of the update server.

  • Ensure that you have installed the application identification feature license.

This example uses the following hardware and software components:

  • An SRX Series device

  • Junos OS Release 12.1X47-D10

Overview

Juniper Networks regularly updates the predefined application signature package database and makes it available on the Juniper Networks website. This package includes application objects that can be used in Intrusion Detection and Prevention (IDP), application firewall policy, and AppTrack to match traffic.

Configuration

CLI Quick Configuration

CLI quick configuration is not available for this example because manual intervention is required during the configuration.

Downloading and Installing Application Identification

Step-by-Step Procedure
  1. Download the application package.

    Download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.

    You can also download a specific version of the application package or download the application package from the specific location by using the following options:

    • To download a specific version of the application package:

    • To change the download URL for the application package from configuration mode:

      Note:

      If you change the download URL and you want to keep that change, make sure you commit the configuration.

  2. Check the download status.

    Note:

    You can also use the system log to view the result of the download. Starting in Junos OS Release 20.4R1, system log messages are updated to display the application signature package download and installation results.

  3. Install the application package.

    The application package is installed in the application signature database on the device.

  4. Check the installation status of the application package.

    The command output displays information about the downloaded and installed versions of the application package and protocol bundle.

    • To view the installation status:

    • To view the protocol bundle status:

      Note:

      It is possible that an application signature was removed from the newer version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.

Verification

Confirm that the configuration is working properly.

Verifying the Application Identification Status

Purpose

Verify that the application identification configuration is working properly.

Action

From operational mode, enter the show services application-identification status command.

Meaning

The Status: Enabled field shows that application identification is enabled on the device.

Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package

You can download and install application signatures through intrusion detection and prevention (IDP) security packages.

This example shows how to enhance security by downloading and installing the IDP signatures and application signature package. In this case, both IDP signature pack and application signature pack are downloaded with a single command.

Requirements

Before you begin:

  • Ensure that your SRX Series Firewall has a connection to the Internet to download security package updates.

    Note:

    DNS must be set up because you need to resolve the name of the update server.

  • Ensure that you have installed the application identification feature license.

This example uses the following hardware and software components:

  • An SRX Series Firewall

  • Junos OS Release 12.1X47-D10

Overview

In this example, you download and install the signature database from the Juniper Networks website.

Configuration

Downloading and Installing the Signature Database

CLI Quick Configuration

CLI quick configuration is not available for this example because manual intervention is required during the configuration.

Step-by-Step Procedure

To download and install application signatures:

  1. Download the signature database.

    Note:

    Downloading the database might take some time depending on the database size and the speed of your Internet connection.

  2. Check the security package download status.

  3. Install the attack database.

    Note:

    Installing the attack database might take some time depending on the security database size.

  4. Check the attack database install status. The command output displays information about the downloaded and installed versions of the attack database.

  5. Confirm your IDP security package version.

  6. Confirm your application identification package version.

Verification

Confirm that the application signature package is being updated properly.

Verifying application signature package

Purpose

Verify the services application identification version.

Action

From operational mode, enter the show services application-identification version command.

Meaning

The sample output shows that the services application identification version is 1884.

Downloading Junos OS Application Signature Package from A Proxy Server

This example shows how to create a proxy profile and use it for downloading the application signature package from a proxy server.

Configuration

Step-by-Step Procedure

Create a proxy profile and apply it for downloading the application package through the proxy server.

  1. Create a proxy profile for protocol HTTP.

  2. Specify the IP address of the proxy server.

  3. Specify the port number used by the proxy server.

  4. Download the application package from the proxy host.

Step-by-Step Procedure

You can disable the proxy server for downloading application signature package when not required.

  • Disable the proxy server for application signature download.

Requirements

This example uses the following hardware and software components:

  • Valid application identification feature license installed on an SRX Series Firewall.

  • SRX Series Firewall with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.

Overview

You must download and install the application signature package that is hosted on an external server on the SRX Series Firewall. Starting from Junos OS Release 18.3R1, you can download the application signature package using a proxy server.

To enable downloading signature package from the proxy server:

  1. Configure a profile with host and port details of the proxy server using the set services proxy profile command.

  2. Use the set services application-identification download proxy-profile profile-name command to connect to the proxy server and download the application signature package.

When you download the signature package, the request is routed through the proxy host to the actual server hosting the signature package. The proxy host relays the response back from the actual host. The download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.

Note:

Support for the proxy profile configuration is available for only HTTP connections.

In this example, you create a proxy profile, and refer the profile when you download the application signature package from the external host. Table 1 provides the details of the parameters used in this example.

Table 1: Proxy Profile Configuration Parameters

Parameter

Name

Profile Name

Profile-1

IP address of the proxy server

5.0.0.1

Port number of the proxy server

3128

Verification

Verifying Application Signature Download Through the Proxy Server

Purpose

Display the details for the application signature package download through a proxy server.

Action

From operational mode, enter the show services application-identification status command.

Meaning

In the command output, you can find the proxy profile details in Proxy Profile and Proxy Address fields.

Verifying Application Signature Download Status

Purpose

Check the application package download status.

Action

From operational mode, enter the request services application-identification download status command.

Meaning

The command displays the application signature package download status.

Example: Scheduling the Application Signature Package Updates

This example shows how to set up automatic updates of the predefined application signature package.

Requirements

Before you begin:

  • Ensure that your security device has a connection to the Internet to download security package updates.

    Note:

    DNS must be set up because you need to resolve the name of the update server.

  • Ensure that you have installed the application identification feature license.

Overview

In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.

Configuration

Procedure

GUI Quick Configuration

To set up the automatic download and periodic update with the J-Web interface:

Step-by-Step Procedure

  1. Enter Configure>Security>AppSecure Settings to display the Applications Signature page.

  2. Click Global Settings.

  3. Click the Download Scheduler tab, and modify the following fields:

    • URL: https://signatures.juniper.net/cgi-bin/index.cgi

    • Enable Schedule Update: Select the check box.

    • Interval: 48

  4. Click Reset Setting to clear the existing start time, enter the new start time in YYYY-MM-DD.hh:mm format, and click OK.

    • Start Time: 2019-06-30.10:00:00

  5. Click Commit Options>Commit to commit your changes.

  6. Click Check Status to monitor the progress of an active download or update, or to check the outcome of the latest update.

Step-by-Step Procedure

To use the CLI to automatically update the Junos OS application signature package:

  1. Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:

  2. Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 10 am on December 10:

  3. If you are done configuring the device, commit the configuration.

Verification

To verify that the application signature package is being updated properly, enter the show services application-identification version command. Review the version number and details for the latest update.

Scheduling the Application Signature Package Updates As Part of the IDP Security Package

The configuration instructions in this example describe how to setup automatic updates of application identification signature package (part of IDP security package) at a specified date and time.

Requirements

Before you begin:

  • Ensure that your security device has a connection to the Internet to download security package updates.

    Note:

    DNS must be set up because you need to resolve the name of the update server.

  • Ensure that you have installed the application identification feature license.

Overview

In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.

Configuration

Procedure

GUI Quick Configuration

To set up the automatic download and periodic update with the J-Web interface:

Step-by-Step Procedure

  1. Enter Configure>Security>IDP>Signature Updates to display the Security IDP Signature Configuration page.

  2. Click Download Settings and modify the URL: https://signatures.juniper.net/cgi-bin/index.cgi

  3. Click the Auto Download Settings tab, and modify the following fields:

    • Interval: 48

    • Start Time: 2013-12-10.23:59:55

    • Enable Schedule Update: Select the check box.

  4. Click Reset Setting to clear the existing fields, enter the new values. Click OK.

  5. Click Commit Options>Commit to commit your changes.

  6. Click Check Status to monitor the progress of an active download or update, or to check the outcome of the latest update.

Step-by-Step Procedure

To use the CLI to automatically update the Junos OS application signature package:

  1. Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:

  2. Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 11:55 pm on December 10, 2013:

  3. Enable an automatic download and update of the security package.

  4. If you are done configuring the device, commit the configuration.

Verification

Confirm that the application signature package is being updated properly.

Verifying application signature package

Purpose

Verify services application identification version

Action

From operational mode, enter the show services application-identification version command.

Meaning

The sample output shows that, the services application identification version is 1884.

Example: Downloading and Installing the Application Identification Package in Chassis Cluster Mode

This example shows how to download and install the application signature package database to a device operating in chassis cluster mode.

Downloading and Installing the Application Identification Package

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.

To download and install an application package:

  1. Download the application package on the primary node.

    {primary:node0}[edit]

    user@host> request services application-identification download

  2. Check the application package download status.

    {primary:node0}[edit]

    user@host> request services application-identification download status

    On a successful download, the following message is displayed

    The application package is installed in the application signature database on the primary node, and application identification files are synchronized on the primary and secondary nodes.

  3. Update the application package using install command.

    {primary:node0}[edit]

    user@host> request services application-identification install

  4. Check the application package update status. The command output displays information about the downloaded and installed versions of the application package.

    {primary:node0}[edit]

    user@host> request services application-identification install status

    Note:

    It is possible that an application signature is removed from the new version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.

    Note:

    While downloading the application signature package on the primary node, sometimes, due to unexpected failover, the primary node might not able to download the application signature package completely. As a workaround, you must delete the /var/db/appid/sec-download/.apppack_state and restart the device.

Step-by-Step Procedure

To uninstall an application package:

  1. Uninstall the application package using uninstall command.

    {primary:node0}[edit]

    user@host> request services application-identification uninstall

  2. Check the uninstall status of the application package.

    {primary:node0}[edit]

    user@host> request services application-identification uninstall status

  3. Check the uninstall status of protocol bundle:

Requirements

Before you begin:

Overview

If you use application identification, you can download the predefined application signature package database. Juniper Networks regularly updates the database and makes it available on the Juniper Networks website. This package includes application objects that can be used to match traffic in IDP, application firewall policies, and application tracking. For more details, see Understanding the Junos OS Application Package Installation.

When you download the application identification security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node.

Verifying the Junos OS Application Identification Extracted Application Package

Purpose

After successful download and installation of the application package, use the following commands to view the predefined application signature package content.

Action

  • View the current version of the application package:

  • View the current status of the application package:

Uninstalling the Junos OS Application Identification Application Package

You can uninstall the predefined application package. The uninstall operation will fail if there are any active security policies referenced in the predefined application signatures in the Junos OS configuration

To uninstall application package:

  1. Uninstall the application package:
  2. Check the uninstall operation status of the application package. The command output displays information about the uninstall status of the application package and protocol bundle.
    • Check the uninstall status:

    • Check the uninstall status of protocol bundle:

The application package and protocol bundle are uninstalled on the device. To reinstall application identification, you need to download application package and reinstall it again.

Application Signature Package Rollback

Starting in Junos OS Release 20.3R1, you can rollback the current version of application signature pack to the previous version by one of the following methods:

  • Automatic Rollback

  • Manual Rollback

Automatic Rollback

In case of application signature package installation failure, the system automatically rolls back to the previous version of the application signature package that is currently installed on your security device.

When you download and install the application signature package on a device operating in chassis cluster mode, if the installation fails on a node, the system rolls back to the previous version of the application signature. The device displays a minor alarm on the same node where installation fails and rollback succeeds.

Example:

Check application signature package rollback status when installation failed and the rollback completes successfully.

Manual Rollback

You can manually rollback the application signature package to the previous installed version using the following steps:

  1. Rollback the application signature package to the previous version.

  2. Check the rollback status.

Note the following for manual rollback of application signature package:

  • Once you rollback application signature package version manually from version Y to version X, the scheduled auto-update of application signature package is skipped until a new version Z, which is higher than the version Y, is available.

  • You can download and install application signatures through intrusion detection and prevention (IDP) security packages. In this case, if AppID installation fails during the IDP install, AppID rolls back to the previous version and IDP installation continues with the requested version. In such cases, IDP and AppID might have different versions.

  • Application signature package installation does not proceed if there is any corruption, deletion, or modification of downloaded signature package files. In such cases, the following message is displayed:

  • When your security device does not include any previous version application signature package and you attempt to rollback application signature package, the device displays the following error message:

Grouping Newly Added Application Signatures

Starting in Junos OS Release 21.1R1, we’ve enhanced application signature package by grouping all newly added application signatures under junos:all-new-apps group. When you download the application signature package on your security device, the entire predefined application group is downloaded and available for you to configure in security policy as shown in the below example:

We’ve also introduced a list of application tags in the application signature package. You can group similar applications based on those predefined tags that are e based on application attributes. By doing so, you can consistently reuse the application groups when you define security policies.

Example

In the above example, you configure tag-based application group with tags remote-access and web and another tag group with social_networking. All the applications which are having tags as either web or remote-access and social_networking will be added to the application group.

Grouping of similar applications based on tags help you to consistently reuse the application groups when defining security policies.

Migration of New Applications to Normal Applications:

The junos:all-new-apps group contains a set of all new applications in the installed application signature pack on your security device compared to previously installed signature pack. If you decide to install a newer version of the application signature package, that version will contain a new set of applications in the junos:all-new-apps group.

You can chose to migrate the new applications to normal applications in your existing application signature package. This migration will help you to consistently maintain rules in security policy which are created specific to the new applications whenever you upgrade to newer application signature versions in future.

You can use the following new commands to move the applications tagged as new applications to normal applications:

  • To migrate only specified new applications as normal application, use the following command:

  • To migrate all new applications as normal applications, use the following command:

After you run these commands, application will no longer be tagged as new and will not be part of the junos:all-new-apps group.

Application Signatures Package Enhancements

Starting in Junos OS Release 21.1R1, we've introduced the following enhancements to the application signature package:

Note:

When you upgrade to Junos OS Release 21.1 and later from Junos OS Release 20.4 and earlier versions, we recommend you update the application identification signature database by using the request services application-identifications download and request services application-identification install commands.

Release History Table
Release
Description
20.4R1
Starting in Junos OS Release 20.4R1, system log messages are updated to display the application signature package download and installation results.
20.3R1
Starting in Junos OS Release 20.3R1, you can rollback the current version of application signature pack to the previous version
15.1X49-D65
Starting from 15.1X49-D65 and Junos OS Release 17.3R1, on SRX4100, and SRX4200 devices, AppSecure is part of Junos Software Enhanced (JSE) license package.
15.1X49-D40
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX300, SRX320, SRX340, and SRX345 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package.
15.1X49-D30
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX1500 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package.
12.1X47-D10
Starting from Junos OS Release 12.1X47-D10, next-generation application identification is supported.