Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Troubleshooting Application Identification

    Problem

    If you encounter issues with the application identification feature, you might want to change the default behavior. The following features are enabled by default:

    • Application identification
    • Application identification of extended applications
    • Caching of application identification matches
    • Caching of extended application identification matches

    For normal use, we recommend that you maintain these defaults.

    Solution

    During experimentation and troubleshooting, you might do the following:

    • View details of the application signatures that are relevant to the current policy. The application signatures are relevant if the application is specified or implicated by IDP rulebase or APE rulebase rules.
    • View a list of application signatures cached. The application identification feature caches signatures it has detected.
    • Clear the application signature or nested application signature cache.
    • Disable application identification or the application identification cache.

    To display the application signatures and nested application signatures that are relevant to the current policy:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to display a list of relevant application signatures:

      [root@defaulthost ~]# scio app sig list
      Application signatures: total 165 show 165
      APPLICATIONID:ARES, index 0, service 77, mindata 7, order 61, tcp 0-65535, no udp
      APPLICATIONID:ICCP, index 1, service 106, mindata 2, order 147, tcp 102-102, no udp
      APPLICATIONID:HALF-LIFE, index 2, service 113, mindata 4, order 127, no tcp, udp 1024-65535
      APPLICATIONID:ICQ, index 3, service 172, mindata 10, order 22, tcp 0-65535, no udp
      APPLICATIONID:PPTP, index 4, service 128, mindata 11, order 173, tcp 1723-1723, no udp
      APPLICATIONID:X11, index 5, service 144, mindata 6, order 85, tcp 0-65535, no udp
      APPLICATIONID:GNUCLEUSLAN-CONNECT, index 6, service 151, mindata 16, order 40, tcp 0-65535, no udp
      APPLICATIONID:VMWARE-WEBUI, index 7, service 96, mindata 180, order 183, tcp 8333-8333, no udp
      APPLICATIONID:FREECAST, index 8, service 81, mindata 50, order 142, no tcp, udp 0-65535
      APPLICATIONID:MSRPC, index 9, service 55, mindata 20, order 42, tcp 135-135 137-139 445-445 1024-65535, udp 135-135 137-139 445-445 1024-65535
      APPLICATIONID:MSN, index 10, service 41, mindata 20, order 107, tcp 0-65535, no udp
      APPLICATIONID:DRDA, index 11, service 121, mindata 20, order 52, tcp 0-65535, no udp
      APPLICATIONID:GNUTELLA-URN-DOWNLOAD, index 12, service 131, mindata 26, order 133, tcp 0-65535, no udp
      APPLICATIONID:GNUTELLA-FIREWALLED, index 13, service 86, mindata 70, order 34, tcp 0-65535, no udp
      APPLICATIONID:IRC, index 14, service 32, mindata 32, order 46, tcp 0-65535, no udp
      APPLICATIONID:QQ, index 15, service 125, mindata 3, order 105, tcp 80-80 443-443, udp 0-65535
      APPLICATIONID:LOTUSNOTES, index 16, service 135, mindata 21, order 134, tcp 0-65535, no udp
      
    3. Enter the following command to display a list of relevant nested application signatures:

      [root@defaulthost ~]# scio napp sig list
      Nested Application signatures: total 551 show 551
      NESTEDAPPLICATION:PRICELINE, HTTP, index 0, nested service 1, max_trans 1, order 33249, appl_id 794, n_members 1
      NESTEDAPPLICATION:ICAST, HTTP, index 1, nested service 2, max_trans 1, order 33118, appl_id 555, n_members 2
      NESTEDAPPLICATION:GOOGLE-TRANSLATE, HTTP, index 2, nested service 3, max_trans 1, order 32991, appl_id 467, n_members 1
      NESTEDAPPLICATION:EBUDDY, HTTP, index 3, nested service 4, max_trans 1, order 32906, appl_id 278, n_members 1
      NESTEDAPPLICATION:TOPFRIENDS, HTTP, index 4, nested service 5, max_trans 1, order 33299, appl_id 723, n_members 2
      NESTEDAPPLICATION:MYSPACE-GUARDIAN-ANGELS, HTTP, index 5, nested service 6, max_trans 1, order 33169, appl_id 619, n_members 2
      NESTEDAPPLICATION:ALLMUSIC-LOOKUP, HTTP, index 6, nested service 7, max_trans 1, order 33043, appl_id 530, n_members 2
      NESTEDAPPLICATION:HOTMAIL, HTTP, index 7, nested service 8, max_trans 1, order 32832, appl_id 383, n_members 1
      NESTEDAPPLICATION:RAGINGBULL-POST, HTTP, index 8, nested service 9, max_trans 1, order 32963, appl_id 354, n_members 2
      NESTEDAPPLICATION:FACEBOOK-VISUALBOOKSHELF, HTTP, index 9, nested service 10, max_trans 1, order 33227, appl_id 602, n_members 2
      NESTEDAPPLICATION:TRIPADVISOR, HTTP, index 10, nested service 11, max_trans 1, order 33099, appl_id 579, n_members 1
      NESTEDAPPLICATION:SPANKWIRE, HTTP, index 11, nested service 12, max_trans 1, order 32816, appl_id 505, n_members 1
      NESTEDAPPLICATION:THECIRCLE, HTTP, index 12, nested service 13, max_trans 1, order 32888, appl_id 261, n_members 1
      
      ...
      

    To display the application signature and the nested application signature cache:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to display the application signature cache:

      [root@defaulthost ~]# scio app cache list
      Application system cache: total 3 show 3
      Index   VLAN    IP              Port    Proto   Application
      0       0       9.0.0.101       21      6       FTP
      1       0       8.0.0.101       21      6       FTP
      2       0       8.0.0.1 22      6       SSH
      
    3. Enter the following command to display the nested application signature cache:

      [root@defaulthost ~]# scio napp cache list
      Application system cache: total 3 show 3
      Index   VLAN    IP              Port    Proto   Application
      0       0       9.0.0.101       21      6       FTP
      1       0       8.0.0.101       21      6       FTP
      2       0       8.0.0.1 22      6       SSH
      

    To clear application the signature and the nested application signature cache:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to clear the application signature cache:

      [root@defaulthost ~]# scio app cache clear
    3. Enter the following command to clear the nested application signature cache:

      [root@defaulthost ~]# scio napp cache clear

    To disable application identification features:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to disable application protocol identification:

      [root@defaulthost ~]# scio const set sc_ai_enable 0
    3. Enter the following command to disable extended application identification:

      [root@defaulthost ~]# scio const set sc_ai_ext_enable 0
    4. Enter the following command to disable caching of application protocol identification results:

      [root@defaulthost ~]# scio const set sc_asc_enable 0
    5. Enter the following command to disable caching of extended application protocol identification results:

      [root@defaulthost ~]# scio const set sc_ext_asc_enable 0

    Changes take effect immediately, but the settings do not persist across restarts and policy pushes.


    Published: 2011-02-08