Adding Application Signatures

You can add custom application signatures for applications that are not part of the Juniper Networks predefined application database. When you add custom application signatures, make sure that your application signatures are unique, by providing a unique and relevant name.

You can add custom application signatures by specifying a name, protocol, port number where the application runs, and match criteria.

Procedure

To create a custom application signature:

Select Configuration > Shared Objects > Application Signatures.
Click Create > Signature.
Complete the configuration according to the guidelines provided in Table 238.
Click OK to save the changes. If you want to discard your changes, click Cancel instead.

A new application signature with your configurations is created. You use this application signature while creating SD-WAN policy intents.

Table 238 provides guidelines on using the fields on the Create Application Signature page.

Table 238: Fields on the Create Application Signature Page

Field	Description
Name	Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description	Enter a description for the application signature.
Order	Enter the order for the custom application signature. A lower order value has higher priority. This option is used when multiple custom application signatures of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications. Range is 1-50000.
Priority	Specify the application signature priority (high or low) over other application signatures.
Select one or more Application Identification match criteria	Select one or more applications matching criteria from the following list: ICMP Mapping IP Protocol Mapping Address Mapping L7 Signature
ICMP Mapping	Specify the Internet Control Message Protocol (ICMP) value for an application while configuring custom application signatures for application identification. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. The ICMP code and type provide additional specification, for packet matching in an application definition.
ICMP Type	Enter an ICMP value for the application. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. Range is 0-254.
ICMP Code	Enter an ICMP code for the application. The field provides further information (such as RFCs) about the ICMP type field. Range is 0-254.
IP Protocol Mapping	Specify the IP protocol value for an application to match. This parameter is used to identify an application based on IP and is intended only for IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.
IP Protocol	Enter an IP Protocol number for the application. Standard IP protocol numbers map an application to IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers. Range is 0-254. You can find a complete list of industry standard protocol numbers at the IANA website. Note: You cannot use IP protocol numbers 1(ICMP), 6(TCP ) and 17(UDP) for custom application signature creation. Instead, we recommend you to use L7 signature policies for these protocols.
Address Mapping	Layer 3 and Layer 4 address mapping defines an application by matching the destination IP address or port range (optional) of the traffic. Use the address mapping option to configure custom applications signatures when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy while handling traffic from a known application. Note: You must specify either IP address or TCP/UDP port range for address mapping. If both IP address and TCP/UDP ports are configured, both should match destination tuples (IP address and port range) of the packet.
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
Dst. IP Address	Enter an IPv4 or IPv6 address for the application.
CIDR	Enter a CIDR value for the IP Address that you assign to the application. Range for IPv4 address is 1-32. Range for IPv6 address is 1-128.
Dst. TCP Port range (Optional)	Enter space-separated list of ports or port ranges to match a TCP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535. Example: 80-82 443.
Dst. UDP port range (Optional)	Enter space-separated list of ports or port ranges ranges to match an UDP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535. Example: 160-162 260.
L7 Signature	Specify the Layer 7-based custom application signatures that are required to identify the multiple applications running on the same L7 protocols.
Cacheable	Select True to enable caching of application identification results on the device. Set this option to True only when L7 signatures are configured alone in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures.
Name	Displays the name of the L7 signature.
Port range	Displays the port range for the application.
Over Protocol	Displays the L7 application protocol that matches the signature..
Members	Displays the member name for L7 signature.
Add L7 SIgnature	Configure a custom signature based on L7 applications. You create Layer 7-based custom application signatures for the identification of multiple applications running on the same L7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol.
Over Protocol	Displays the signature to match the application protocol. Example: HTTP.
Signature Name	Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Port Range	Enter the port range for the application. Range is 0-65535 Example: 80-82,443
Member No.	Enter the member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01—m15.)
Direction	Select the direction of the packet flow to which the signature must be matched. any—The direction of packet flow can either be from client-side to server-side or from server-side to client-side. client-to-server—The direction of packet flow is from client-side to server-side. server-to-client—The direction of packet flow is from server-side to client-side.
Pattern	Enter the deterministic finite automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128.
Context (Over HTTP)	Select the service-specific context from the following list: http-get-url-parsed-param-parsed http-header-content-type http-header-cookie http-header-host http-header-user-agent http-post-url-parsed-param-parsed http-post-variable-parsed http-url-parsed http-url-parsed-param-parsed For possible combinations of context and direction for L7 application creation, refer context (Application Identification).
Context (Over SSL)	Select the service-specific context as ssl-server-name.
Context (Over TCP)	Select the service-specific context as stream.
Context (Over UDP)	Select the service-specific context as stream.

Adding Application Signatures

Procedure

Related Documentation

Help us to improve. Rate this article.