Example: Configuring a Custom Application Group for Junos OS Application Identification for Simplified Management

This example shows how to configure custom application groups for Junos OS application identification for consistent reuse when defining policies.

Requirements

Before you begin, install an entire signature database from an IDP or an application identification security package.

Overview

In this example, you define applications for an application group, delete an application from an application group, and include an application group within another application group.

In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies.

Note: You cannot modify the applications defined in a predefined application group. However, you can copy a predefined application group using the operational command request services application-identification group group-name copy to create a custom application group and modify the list of applications. For more information, see request services application-identification group.

Configuration

Configuring Junos OS Application Identification User-Defined Application Groups

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set services application-identification application-group my_web set services application-identification application-group my_web applications junos:HTTPset services application-identification application-group my_web applications junos:FTP set services application-identification application-group my_web applications junos:GOPHER set services application-identification application-group my_web applications junos:AMAZON set services application-identification application-group my_peer set services application-identification application-group my_peer applications junos:BITTORRENT set services application-identification application-group my_peer applications junos:BITTORRENT-DHT set services application-identification application-group my_peer applications junos:BITTORRENT-UDP set services application-identification application-group my_peer applications junos:BITTRACKER

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a custom application group for application identification:

  1. Set the name of your custom application group.
    [edit services application-identification]user@host# set application-group my_web
  2. Add the list of applications that you want to include in your custom application group.
    [edit services application-identification]user@host# set application-group my_web applications junos:HTTPuser@host# set application-group my_web applications junos:FTP user@host# set application-group my_web applications junos:GOPHER user@host# set application-group my_web applications junos:AMAZON
  3. Set the name of a second custom application group.
    [edit services application-identification]user@host# set application-group my_peer
  4. Add the list of applications that you want to include in the group.
    [edit services application-identification]user@host# set application-group my_peer applications junos:BITTORRENT user@host# set application-group my_peer applications junos:BITTORRENT-DHT user@host# set application-group my_peer applications junos:BITTORRENT-UDP user@host# set application-group my_peer applications junos:BITTRACKER

Results

From configuration mode, confirm your configuration by entering the show services application-identification group command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]
user@host# show services application-identification application-group my_webapplications {junos:HTTP;junos:FTP;junos:GOPHER;junos:AMAZON}user@host# show services application-identification application-group my_peerapplications {junos:BITTORRENT;junos:BITTORRENT-DHT;junos:BITTORRENT-UDP;junos:BITTRACKER;}

If you are done configuring the device, enter commit from configuration mode.

Deleting an Application from a User-Defined Application Group

CLI Quick Configuration

To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

[edit]delete services application-identification application-group my_web applications junos:AMAZON

Step-by-Step Procedure

To delete an application from a custom application group:

[edit services application-identification]user@host# delete application-group my_web applications junos:AMAZON

Results

From configuration mode, confirm your configuration by entering the show services application-identification application group detail command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]
user@host# show services application-identification group detailapplication group my_web {junos:HTTP;junos:FTP;junos:GOPHER;}

If you are done configuring the device, enter commit from configuration mode.

Creating Child Application Groups for an Application Group

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set services application-identification application-group p2p set services application-identification application-group p2p application-groups my_web set services application-identification application-group p2p application-groups my_peer

Step-by-Step Procedure

To configure child application groups for a custom application group:

  1. Set the name of the custom application group in which you are configuring the child application groups.
    [edit services application-identification]user@host# set application-group p2p
  2. Add the child application groups.
    [edit services application-identification]user@host# set application-group p2p application-groups my_web uer@host# set application-group p2p application-groups my_peer

Results

From configuration mode, confirm your configuration by entering the show services application-identification application-group application-group-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]
user@host# show services application-identification application-group p2papplications-groups {my_web;my_peer;}

If you are done configuring the device, enter commit from configuration mode.