Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Application Firewall Support for Tenant System

 

Understanding Application Firewall Services for Tenant Systems

Application firewall is a group of fine-grained application control policies that allow or deny the traffic based on the dynamic application name or the group names. It enhances the security policy creation and enforcement based on the applications rather than the traditional port and protocol analysis.

An application firewall enables administrators of tenant systems to create security policies for traffic, based on application identification defined by application signatures. The application firewall provides additional security protection against the dynamic-application traffic that might not be adequately controlled by the standard network firewall policies. The application firewall controls information transmission by allowing or blocking traffic originating from certain applications.

Note

The application firewall (AppFW) functionality is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. All the legacy AppFW features are supported on the tenant systems. The [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated on SRX Series devices.

To configure an application firewall, you define a rule set that contains rules specifying the action to be taken on the identified dynamic applications. The rule set is configured independently and assigned to a security policy. Each ruleset contains at least two rules, a matched rule (consisting of match criteria and action) and a default rule.

Following are the available rules with application firewall:

  • A matched rule defines the action to be taken on matching traffic. When the traffic matches an application and other criteria specified in the rule, the traffic is allowed or blocked based on the action specified in the rule.

  • A default rule is applied when the traffic does not match any other rule in the rule set.

Configuring an application firewall on a tenant system is similar to configuring an application firewall on a device that is not configured with tenant systems. The application firewall applies only to the tenant system for which it is configured.

Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources (appfw-rule-set and appfw-rule) in a tenant system.The appfw rules can be reordered using the insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2 command.

Example: Configuring Application Firewall Services for a Tenant System

This example shows how to configure application firewall ruleset, rules, and the profile. After configuring the application firewall rulesets and rules, the application firewall ruleset information is added to the security policy in the tenant system.

Requirements

This example uses the following hardware and software components:

  • An SRX1500 device

  • Junos OS Release 18.4R1 or later

Overview

Evasive applications could remain undetected with a standard firewall that functions at Layer 3 or Layer 4 by transmitting other protocols over these well-known ports that are usually open by a firewall. AppFW enforces protocol and policy control at Layer 7. It inspects the actual content of the payload and ensures that it conforms to the policy, rather than identifying the application based on Layer 3 and Layer 4 information.

Additionally, with the growing popularity of Web applications and the shift from traditional full client-based applications to the Web, more and more traffic is being transmitted over HTTP. An application firewall identifies not only HTTP but also any application running on top of it, letting you properly enforce the policies.

The tenant administrator can configure an application firewall rule set and create different rules to permit, reject, or deny traffic based on the application ID on a tenant system. The application firewall traffic control rule is configured for junos:HTTP . The security policy match condition is applied for any dynamic application to permit the traffic.

Create application an firewall services on the tenant system called TSYS1 and the rule set called ruleset1. The rule set ruleset1 has a rule defined to permit traffic. A default rule is also created to specify the action that is specified opposite to the other rules in the rule set.

Configuration

CLI Quick Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure application firewall for a tenant system:

  1. Define a security profile and assign a security profile to a tenant system.
  2. Configure the routing instances and add interfaces to routing instances.
  3. Configure the interfaces for the tenant.
  4. Define the profile to send the notification to the clients when HTTP or HTTPS traffic is blocked by a reject or deny action from an application firewall.
  5. Configure an application firewall rule set for the tenant system and create a rule for this rule set and specify which dynamic application and dynamic application groups that the rule should match.
  6. Configure the default rule for this rule set and specify the action when the identified dynamic application is not specified in any rules of the rule set.
  7. Configure a policy p1 to process the traffic that pass through the HTTP static ports with the application firewall rule set ruleset1.
  8. Configure the security zones.

Results

From configuration mode, confirm your policy configuration by entering the show tenants TSYS1 security application-firewall, show tenants, and show security policies command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Application Firewall

Purpose

View the application firewall configuration on the tenant system.

Action

From operational mode, enter the show security application-firewall rule-set ruleset1 tenant TSYS1 command.

user@host> show security application-firewall rule-set ruleset1 tenant TSYS1

From operational mode, enter the show security flow session application-firewall extensive command.

user@host> show security flow session application-firewall extensive

Meaning

The output displays information about the current active sessions on the device.

Release History Table
Release
Description
Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources (appfw-rule-set and appfw-rule) in a tenant system.The appfw rules can be reordered using the insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2 command.