Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Predefined and Custom Application Groups for Application Identification

 

You can define an application group for both predefined applications, as well as custom applications. An application group contains applications that need similar treatment when defining a security policy. For more information, see the following topics:

Customizing Application Groups for Junos OS Application Identification

In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies.

Application group support associates related applications under a single name for simplified, consistent reuse when using any application services.

The hierarchy of application groups resembles a tree structure with associated applications as the leaf nodes. The group any refers to the root node. The group unassigned is always situated one level from the root and initially contains all applications. When a group is defined, applications are assigned from the unassigned group to the new group. When a group is deleted, its applications are moved back to the unassigned group.

All predefined application groups have the prefix “junos“ in the application group name to prevent naming conflicts with custom application groups. You cannot modify the list of applications within a predefined application group. However, you can copy a predefined application group to use it as a template for creating a custom application group.

To customize a predefined application group, you must first disable the predefined group. Note that a disabled predefined application group remains disabled after an application database update. You can then use the operational command request services application-identification group to copy the disabled predefined application group. The copied group is placed in the configuration file, and the prefix “junos” is changed to “my”. At this point, you can modify the list of applications in “my” application group and rename the group with a unique name.

To reassign an application from one custom group to another, you must remove the application from its current custom application group, and then reassign it to the other.

Note

Starting in Junos OS Release 18.2R2 and Junos OS Release 18.4R1, encrypted applications such as HTTP, SMTP, IMAP and POP3 over SSL are identified as junos:HTTPS, junos:SMTPS, junos:IMAPS, and junos:POP3S in Junos OS predefined applications and application sets.

For example: If you configure a security policy to allow or deny HTTPS traffic, you must specify application matching criteria as junos:HTTPS.

In previous Junos OS Releases, both HTTP and encrypted HTTP (HTTPS) applications can be configured using a same application matching criteria as junos:HTTP.

Example: Configuring a Custom Application Group for Junos OS Application Identification for Simplified Management

This example shows how to configure custom application groups for Junos OS application identification for consistent reuse when defining policies.

Requirements

Before you begin, install an entire signature database from an IDP or an application identification security package. See Downloading and Installing the Junos OS Application Signature Package Manually or Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.

Overview

In this example, you define applications for an application group, delete an application from an application group, and include an application group within another application group.

In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies.

Note

You cannot modify the applications defined in a predefined application group. However, you can copy a predefined application group using the operational command request services application-identification group group-name copy to create a custom application group and modify the list of applications. For more information, see request services application-identification group.

Configuration

Configuring Junos OS Application Identification User-Defined Application Groups

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a custom application group for application identification:

  1. Set the name of your custom application group.
  2. Add the list of applications that you want to include in your custom application group.
  3. Set the name of a second custom application group.
  4. Add the list of applications that you want to include in the group.

Results

From configuration mode, confirm your configuration by entering the show services application-identification group command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Deleting an Application from a User-Defined Application Group

CLI Quick Configuration

To quickly configure this section of the example, copy the following command, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To delete an application from a custom application group:

  • Delete an application from a custom application group.

Results

From configuration mode, confirm your configuration by entering the show services application-identification application group detail command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Creating Child Application Groups for an Application Group

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure child application groups for a custom application group:

  1. Set the name of the custom application group in which you are configuring the child application groups.
  2. Add the child application groups.

Results

From configuration mode, confirm your configuration by entering the show services application-identification application-group application-group-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling or Disabling Application Groups in Junos OS Application Identification

All application groups are enabled by default. Predefined application groups are enabled at installation.

  • For predefined application groups, you can disable and reenable a group using the request services application-identification group command. You cannot delete a predefined signature or signature group.

    • To disable a predefined application group:

      Note

      Make sure to commit the configuration changes or roll back the configuration when you are attempting to enable a disabled application or an application group. Uncommitted changes might result in configuration failure.

    • To reenable a disabled predefined application group: