IN THIS PAGE
Installing and Verifying Licenses for an Application Signature Package
Example: Scheduling the Application Signature Package Updates on NFX Devices
Scheduling the Application Signature Package Updates as Part of the IDP Security Package
Verifying the Junos OS Application Identification Extracted Application Package
Uninstalling the Junos OS Application Identification Application Package
Predefined Application Signatures for Application Identification on NFX Devices
Predefined application signature package is a dynamically loadable module that provides application classification functionality and associated protocol attributes. It is hosted on an external server and can be downloaded as a package and installed on the device. For more information, see the following topics:
Understanding the Junos OS Application Package Installation
Juniper Networks regularly updates the predefined application signature package database and makes it available to subscribers on the Juniper Networks website. This package includes signature definitions of known application objects that can be used to identify applications for tracking, firewall policies, quality-of-service prioritization, and Intrusion Detection and Prevention (IDP). The database contains application objects such as FTP, DNS, Facebook, Kazaa, and many instant messenger programs.
You need to download and install the application signature package before configuring application services. The application signature package is included in the IDP installation directly and does not need to be downloaded separately.
If you have IDP enabled and plan to use application identification, you can continue to run the IDP signature database download. To download the IDP signature database, run the following command: request security idp security-package download. The application package download can be performed manually or automatically. See Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.
Note If you have an IDP-enabled device and plan to use application identification, we recommend that you download only the IDP signature database. This will avoid having two versions of the application database, which could become out of sync.
If you do not have IDP enabled and plan to use application identification, you can run the following commands: request services application-identification download and request services application-identification install. These commands will download the application signature database and install it on the device.
You can perform the download manually or automatically. When you download the extracted package manually, you can change the download URL.
After downloading and installing the application signature package, use CLI commands to download and install database updates, and view summary and detailed application information.
See Downloading and Installing the Junos OS Application Signature Package Manually or Example: Scheduling the Application Signature Package Updates.
Note The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content but you cannot update the data.
Note When you upgrade or downgrade an application signature package, an error message is displayed if there is any mismatch of application IDs (unique ID number of an application signature) between proto bundles and these applications are configured in AppFW and AppQoS rules.
Example:
Please resolve following references and try it again [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:CCPROXY]
As a workaround, disable the AppFW and AppQoS rules before upgrading or downgrading an application signature package. You can re-enable AppFW and AppQoS rules once the upgrade or downgrade procedure is complete.
Note We recommend using the CLI for configuration of AppSecure features on Juniper Networks’ devices.
Upgrading to Next-Generation Application Identification
Next-generation application identification is supported on NFX devices.
Devices installed with Junos OS builds with legacy application identification include legacy application identification security packages. The next-generation application identification security package is installed along with the default protocol bundle. The device is automatically upgraded to next-generation application identification.
The next-generation application identification security package introduces incremental updates to the legacy application identification package. You are not required to remove or uninstall any existing applications.
Applications supported in previous releases (Junos OS Release 12.1X46 or prior) might have new aliases or alternative names in the new version. So existing configurations using such application work in Junos OS Release 12.1X47; however, related logs and other information will use the new name. You can use the show services application-identification application detail new-application-name command to get the details of the applications.
When you upgrade Junos OS, you can include the validate or no-validate options with the request system software add command. Because the existing features, which are not part of next-generation application identification, are deprecated, incompatibility issues are not seen.
Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as normal applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored with warning messages.
See also
Installing and Verifying Licenses for an Application Signature Package
The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content.
Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. These instructions assume that you already have the license. If you did not order the license during the purchase of the device, contact your account team or Juniper customer care for assistance. For more information, refer to the Knowledge Base article KB9731 at https://kb.juniper.net/InfoCenter/index?page=home.
AppSecure is part of Juniper Networks Secure Edge software. A separate license key is not required on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
You can install the license on the NFX device using either the automatic method or manual method as follows:
Install your license automatically on the device.
To install or update your license automatically, your device must be connected to the Internet .
user@host> request system license updateTrying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.
Install the licenses manually on the device.
user@host> request system license add terminal[Type ^D at a new line to end input, enter blank line between each license key]
Paste the license key and press Enter to continue.
Verify the license is installed on your device.
Use the show system license command command to view license usage, as shown in the following example:
License usage: Licenses Licenses Licenses Expiry Feature name used installed needed logical-system 4 1 3 permanent License identifier: JUNOSXXXXXX License version: 2 Valid for device: AA4XXXX005 Features: appid-sig - APPID Signature date-based, 2014-02-17 08:00:00 GMT-8 - 2015-02-11 08:00:00 GMT-8The output sample is truncated to display only license usage details.
Example: Downloading and Installing the Junos OS Application Signature Package Manually on NFX Devices
This example shows how to download the application signature package, create a policy, and identify it as the active policy.
Requirements
Before you begin:
Ensure that your device has a connection to the Internet to download security package updates.
Note DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license. See Installing and Verifying Licenses for an Application Signature Package.
Overview
Juniper Networks regularly updates the predefined application signature package database and makes it available on the Juniper Networks website. This package includes application objects that can be used in Intrusion Detection and Prevention (IDP), application firewall policy, and AppTrack to match traffic.
Configuration
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Downloading and Installing Application Identification
Step-by-Step Procedure
- Download the application package.user@host> request services application-identification download
Please use command "request services application-identification download status" to check status
Download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
You can also download a specific version of the application package or download the application package from the specific location by using the following options:
To download a specific version of the application package:
user@host>request services application-identification download version version-numberTo change the download URL for the application package from configuration mode:
[edit]user@host# set services application-identification download url URL or File PathNote If you change the download URL and you want to keep that change, make sure you commit the configuration.
- Check the download status.user@host>request services application-identification download status
Application package 2345 is downloaded successfully
Note You can also use the system log to view the result of the download.
- Install the application package.user@host>request services application-identification install
Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
The application package is installed in the application signature database on the device.
- Check the installation status of the application package.
The command output displays information about the downloaded and installed versions of the application package and protocol bundle.
To view the installation status:
user@host>request services application-identification install statusInstall application package 2345 succeed
To view the protocol bundle status:
user@host>request services application-identification proto-bundle-statusProtocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is loaded and activated.
Note It is possible that an application signature was removed from the newer version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.
Verification
Confirm that the configuration is working properly.
Verifying the Application Identification Status
Purpose
Verify that the application identification configuration is working properly.
Action
From operational mode, enter the show services application-identification status command.
pic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://services.netscreen.com/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
Meaning
The Status: Enabled field shows that application identification is enabled on the device.
See also
Example: Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package on NFX Devices
You can download and install application signatures through intrusion detection and prevention (IDP) security packages.
This example shows how to enhance security by downloading and installing the IDP signatures and application signature package. In this case, both IDP signature pack and application signature pack are downloaded with a single command.
Requirements
Before you begin:
Ensure that your device has a connection to the Internet to download security package updates.
Note DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license. See Installing and Verifying Licenses for an Application Signature Package.
Overview
In this example, you download and install the signature database from the Juniper Networks website.
Configuration
Downloading and Installing the Signature Database
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Step-by-Step Procedure
To download and install application signatures:
- Download the signature database.[edit]user@host# run request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI
Note Downloading the database might take some time depending on the database size and the speed of your Internet connection.
- Check the security package download status.[edit]user@host# run request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:2230(Mon Feb 4 19:40:13 2013 GMT-8, Detector=12.6.160121210)
- Install the attack database.[edit]user@host# run request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
Note Installing the attack database might take some time depending on the security database size.
- Check the attack database install status. The command
output displays information about the downloaded and installed versions
of the attack database.[edit]user@host# run request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb 4 19:40:13 2013 GMT-8,Detector=12.6.160121210] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
- Confirm your IDP security package version.[edit]user@host# run show security idp security-package-version
Attack database version:2230(Mon Feb 4 19:40:13 2013 GMT-8) Detector version :12.6.160121210 Policy template version :2230
- Confirm your application identification package version.[edit]user@host# run show services application-identification version
Application package version: 1884
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify the services application identification version.
Action
From operational mode, enter the show services application-identification version command.
Application package version: 1884
Meaning
The sample output shows that the services application identification version is 1884.
See also
Example: Scheduling the Application Signature Package Updates on NFX Devices
This example shows how to set up automatic updates of the predefined application signature package.
Requirements
Before you begin:
Ensure that your device has a connection to the Internet to download security package updates.
Note DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license. See Installing and Verifying Licenses for an Application Signature Package.
Overview
In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
- Specify the URL for the security package. The security
package includes the detector and the latest attack objects and groups.
The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi
as the URL for downloading signature database updates:[edit]user@host# set services application-identification download url https://signatures.juniper.net/cgi-bin/index.cgi
- Specify the time and interval for download. The following
statement sets the interval as 48 hours and the start time as 11:59
pm on December 10: [edit]user@host# set services application-identification download automatic interval 48 start-time 12-10.23:59
- If you are done configuring the device, commit the configuration.[edit]user@host# commit
Verification
To verify that the application signature package is being updated properly, enter the show services application-identification version command. Review the version number and details for the latest update.
See also
Scheduling the Application Signature Package Updates as Part of the IDP Security Package
The following configuration procedure describes how to setup automatic updates of application identification signature package (part of IDP security package) at a specified date and time.
Requirements
Before you begin:
Ensure that your device has a connection to the Internet to download security package updates.
Note DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license. See Installing and Verifying Licenses for an Application Signature Package.
Overview
In this procedure, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
- Specify the URL for the security package. The security
package includes the detector and the latest attack objects and groups.
The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi
as the URL for downloading signature database updates:[edit]user@host# set security idp security-package url https://signatures.juniper.net/cgi-bin/index.cgi
- Specify the time and interval for download. The following
statement sets the interval as 48 hours and the start time as 11:55
pm on December 10, 2013: [edit]user@host# set security idp security-package automatic interval 48 start-time 2013-12-10.23:55:55
- Enable an automatic download and update of the security
package.[edit]user@host# set security idp security-package automatic enable
- If you are done configuring the device, commit the configuration.[edit]user@host# commit
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify services application identification version
Action
From operational mode, enter the show services application-identification version command.
Application package version: 1884
Meaning
The sample output shows that, the services application identification version is 1884.
See also
Verifying the Junos OS Application Identification Extracted Application Package
Purpose
After successful download and installation of the application package, use the following commands to view the predefined application signature package content.
Action
View the current version of the application package:
show services application-identification versionApplication package version: 1608
View the current status of the application package:
show services application-identification statuspic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://services.netscreen.com/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
See also
Uninstalling the Junos OS Application Identification Application Package
You can uninstall the predefined application package. The uninstall operation will fail if there are any active security policies referenced in the predefined application signatures in the Junos OS configuration
To uninstall application package:
- Uninstall the application package:user@host> request services application-identification uninstall
Please use command "request services application-identification uninstall status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
- Check the uninstall operation status of the application
package. The command output displays information about the uninstall
status of the application package and protocol bundle.
Check the uninstall status:
user@host>request services application-identification uninstall statusUninstall application package 2345 succeed
Check the uninstall status of protocol bundle:
user@host>request services application-identification proto-bundle-statusProtocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is unloaded and deactivated
The application package and protocol bundle are uninstalled on the device. To reinstall application identification, you need to download application package and reinstall it again.