Help Center User GuideGetting StartedFAQRelease NotesRelease NotesRelease NotesRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Release Notes
Release Notes
Release Notes
Contents  

Adding Application Signatures

You can add custom application signatures for applications that are not part of the Juniper Networks predefined application database. When you add custom application signatures, make sure that your application signatures are unique, by providing a unique and relevant name.

You can add custom application signatures by specifying a name, protocol, port number where the application runs, and match criteria.

Procedure

To create a custom application signature:

  1. Select Configuration > Shared Objects > Application Signatures.
  2. Click Create > Signature.
  3. Complete the configuration according to the guidelines provided in Table 81.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.

A new application signature with your configurations is created. You use this application signature while creating SD-WAN policy intents.

Table 81 provides guidelines on using the fields on the Create Application Signature page.

Table 81: Fields on the Create Application Signature Page

Name

Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Description

Enter a description for the application signature.

Order

Enter the order for the custom application signature. A lower order value has higher priority. This option is used when multiple custom application signatures of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications.

Range is 1-50000.

Priority

Specify the application signature priority (high or low) over other application signatures.

Select one or more Application Identification match criteria

Select one or more applications matching criteria from the following list:

  • ICMP Mapping

  • IP Protocol Mapping

  • Address Mapping

  • L7 Signature

ICMP Mapping

Specify the Internet Control Message Protocol (ICMP) value for an application while configuring custom application signatures for application identification.

The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. The ICMP code and type provide additional specification, for packet matching in an application definition.

ICMP Type

Enter an ICMP value for the application. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name.

Range is 0-254.

ICMP Code

Enter an ICMP code for the application. The field provides further information (such as RFCs) about the ICMP type field.

Range is 0-254.

IP Protocol Mapping

Specify the IP protocol value for an application to match. This parameter is used to identify an application based on IP and is intended only for IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.

IP Protocol

Enter an IP Protocol number for the application. Standard IP protocol numbers map an application to IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.

Range is 0-254.

You can find a complete list of industry standard protocol numbers at the IANA website.

Note: You cannot use IP protocol numbers 1(ICMP), 6(TCP ) and 17(UDP) for custom application signature creation. Instead, we recommend you to use L7 signature policies for these protocols.

Address Mapping

Layer 3 and Layer 4 address mapping defines an application by matching the destination IP address or port range (optional) of the traffic. Use the address mapping option to configure custom applications signatures when the configuration of your private network predicts application traffic to or from trusted servers.

Address mapping provides efficiency and accuracy while handling traffic from a known application.

Note:

  • You must specify either IP address or TCP/UDP port range for address mapping.

  • If both IP address and TCP/UDP ports are configured, both should match destination tuples (IP address and port range) of the packet.

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Dst. IP Address

Enter an IPv4 or IPv6 address for the application.

CIDR

Enter a CIDR value for the IP Address that you assign to the application.

Range for IPv4 address is 1-32.

Range for IPv6 address is 1-128.

Dst. TCP Port range (Optional)

Enter space-separated list of ports or port ranges to match a TCP destination port for Layer 3 and Layer 4 address-based custom applications.

The range is 0-65535.

Example: 80-82 443.

Dst. UDP port range (Optional)

Enter space-separated list of ports or port ranges ranges to match an UDP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535.

Example: 160-162 260.

L7 Signature

Specify the Layer 7-based custom application signatures that are required to identify the multiple applications running on the same L7 protocols.

Cacheable

Select True to enable caching of application identification results on the device.

Set this option to True only when L7 signatures are configured alone in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures.

Name

Displays the name of the L7 signature.

Port range

Displays the port range for the application.

Over Protocol

Displays the L7 application protocol that matches the signature..

Members

Displays the member name for L7 signature.

Add L7 SIgnature

Configure a custom signature based on L7 applications. You create Layer 7-based custom application signatures for the identification of multiple applications running on the same L7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol.

Over Protocol

Displays the signature to match the application protocol.

Example: HTTP.

Signature Name

Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Port Range

Enter the port range for the application.

Range is 0-65535

Example: 80-82,443

Member No.

Enter the member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01—m15.)

Direction

Select the direction of the packet flow to which the signature must be matched.

  • any—The direction of packet flow can either be from client-side to server-side or from server-side to client-side.

  • client-to-server—The direction of packet flow is from client-side to server-side.

  • server-to-client—The direction of packet flow is from server-side to client-side.

Pattern

Enter the deterministic finite automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128.

Context (Over HTTP)

Select the service-specific context from the following list:

  • http-get-url-parsed-param-parsed

  • http-header-content-type

  • http-header-cookie

  • http-header-host

  • http-header-user-agent

  • http-post-url-parsed-param-parsed

  • http-post-variable-parsed

  • http-url-parsed

  • http-url-parsed-param-parsed

For possible combinations of context and direction for L7 application creation, refer context (Application Identification).

Context (Over SSL)

Select the service-specific context as ssl-server-name.

Context (Over TCP)

Select the service-specific context as stream.

Context (Over UDP)

Select the service-specific context as stream.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit