Application Tracking on NFX Devices
Application tracking (AppTrack) is a logging and reporting tool that can be used to share information for application visibility. AppTrack sends log messages through syslog providing application activity update messages. For more information, see the following topics:
Understanding AppTrack
AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. Juniper Secure Analytics (formally known as STRM) retrieves the data and provides flow-based application visibility.
AppTrack messages are similar to session logs and use syslog or structured syslog formats. The message also includes an application field for the session. If AppTrack identifies a custom-defined application and returns an appropriate name, the custom application name is included in the log message. (If the application identification process fails or has not yet completed when an update message is triggered, the message specifies none in the application field.)
AppTrack supports both IPv4 and IPv6 addressing. Related messages display addresses in the appropriate IPv4 or IPv6 format.
User identity details such as user name and user role have been added to the AppTrack session create, session close, and volume update logs. These fields will contain the user name and role associated with the policy match. The logging of user name and roles is enabled only for security policies that provide UAC enforcement. For security policies without UAC enforcement, the user name and user role fields are displayed as N/A. The user name is displayed as unauthenticated user and user role is displayed as N/A, if the device cannot retrieve information for that session because there is no authentication table entry for that session or because logging of this information is disabled. The user role field in the log contains the list of all the roles performed by the user if match criteria is specific, authenticated user, or any, and the user name field in the log contains the correct user name. The user role field in the log will contain N/A if the match criteria and the user name field in the log contain unauthenticated user or unknown user.
If you enable AppTrack for a zone and specify a session-update-interval time, whenever a packet is received, AppTrack checks whether the time since the start of the session or since the last update is greater than the update interval. If so, AppTrack updates the counts and sends an update message to the host. If a short-lived session starts and ends within the update interval, AppTrack generates a message only at session close.
When you want the initial update message to be sent earlier than the specified update interval, use the first-update-interval. The first-update-interval lets you enter a shorter interval for the first update only. Alternatively, you can generate the initial update message at session start by using the first-update option.
The close message updates the statistics for the last time and provides an explanation for the session closure. The following codes are used:
Benefits of Application Tracking
Provides visibility into the types of applications traversing through a device.
Enables you to gain insight into permitted applications and the risk they might pose.
Assists in managing bandwidth, reports active users and applications.
Application Tracking Log Messages Fields
The AppTrack session create, session close, and volume update logs include a new field called destination interface. You can use the destination interface field to see which egress interface is selected for the session when a advanced policy-based routing (APBR) is applied to that session and AppTrack is enabled and configured within any logical system.
AppTrack log for route update includes APBR profile, rule, and routing instance details. When APBR is applied to a session, the new log is generated and the AppTrack session counter is updated to indicate the number of times a new route update log is generated. The AppTrack session close log is also updated to include APBR profile, rule, and routing instance details.
AppTrack session create, session close, and volume update logs include the new fields category and subcategory. These fields provide general information about the application attributes. For example, the category field specifies the technology of the application (web, infrastructure) and subcategory field specifies the subcategory of the application (for example, social networking, news, and advertisements).
Because category and subcategory are not applicable for a custom application, the AppTrack log messages present the category as custom application and the subcategory as N/A.
For unknown applications, both category and subcategories are logged as N/A.
Examples of the log messages in structured syslog format:
APPTRACK_SESSION_CREATE user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" username="user1" roles="DEPT1" encrypted="UNKNOWN" destination-interface-name=”ge-0/0/0” category=”N/A” sub-category=”N/A”]
APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" routing-instance=“default” destination-interface-name=”st0.0” category=” Web” sub-category=”N/A”]
APPTRACK_SESSION_VOL_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]
APPTRACK_SESSION_ROUTE_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” category=”Web” sub-category=”Social-Networking”]
See also
Example: Configuring AppTrack
This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.
Requirements
Before you configure AppTrack, ensure that you have downloaded the application signature package, installed it, and verified that the application identification configuration is working properly. See Downloading and Installing the Junos OS Application Signature Package Manually or Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package. Use the show services application-identification status command to verify the status.
Overview
Application identification is enabled by default and is automatically turned on when you configure the AppTrack, AppFW, or IDP service. The Juniper Secure Analytics (JSA) retrieves the data and provides flow-based application visibility. STRM includes the support for AppTrack Reporting and includes several predefined search templates and reports.
Configuration
This example shows how to enable application tracking for the security zone named trust. The first log message is to be generated when the session starts, and update messages should be sent every 4 minutes after that. A final message should be sent at session end.
The example also shows how to add the remote syslog device configuration to receive AppTrack log messages in sd-syslog format. The source IP address that is used when exporting security logs is 192.0.2.1, and the security logs are sent to the host located at address 192.0.2.2.
We recommend using CLI for configuration of AppSecure features.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Changing the session-update-interval and the first-update-interval is not necessary in most situations. The commands are included in this example to demonstrate their use.
If the syslog configuration does not specify a destination port, the default destination port will be the syslog port. If you specify a destination port in the syslog configuration, then that port will be used instead.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.
To configure AppTrack:
- Add the remote syslog device configuration to receive
Apptrack messages in sd-syslog format. [edit]user@host# set security log mode streamuser@host# set security log format sd-sysloguser@host# set security log source-address 192.0.2.1user@host# set security log stream app-track-logs host 192.0.2.2
- Enable AppTrack for the security zone trust.[edit]user@host# set security zones security-zone trust application-tracking
- (Optional) For this example, generate update messages
every 4 minutes.[edit]user@host# set security application-tracking session-update-interval 4
The default interval between messages is 5 minutes. If a session starts and ends within this update interval, AppTrack generates one message at session close. However, if the session is long-lived, an update message is sent every 5 minutes. The session-update-interval minutes is configurable as shown in this step.
- (Optional) For this example, generate the first message
when the session starts. [edit]user@host# set security application-tracking first-update
By default, the first message is generated after the first session update interval elapses. To generate the first message at a different time than this, use the first-update option (generate the first message at session start) or the first-update-interval minutes option (generate the first message after the specified minutes). For example, enter the following command to generate the first message one minute after session start.
[edit]user@host# set security application-tracking first-update-interval 1Note The first-update option and the first-update-interval minutes option are mutually exclusive. If you specify both, the first-update-interval value is ignored.
Once the first message has been generated, an update message is generated each time the session update interval is reached.
Results
From configuration mode, confirm your configuration by entering the show security and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.
Verification
Use the JSA product on the remote logging device to view the AppTrack log messages.
To confirm that the configuration is working properly, you can also perform these tasks on the device:
Reviewing AppTrack Statistics
Purpose
Review AppTrack statistics to view characteristics of the traffic being tracked.
Action
From operational mode, enter the show services application-identification statistics applications command.
Last Reset: 2012-02-14 21:23:45 UTC Application Sessions Bytes Encrypted HTTP 1 2291 Yes HTTP 1 942 No SSL 1 2291 Yes unknown 1 100 No unknown 1 100 Yes
For more information on the show services application-identification statistics applications command, see show services application-identification statistics applications.
Verifying AppTrack Counter Values
Purpose
View the AppTrack counters periodically to monitor logging activity.
Action
From operational mode, enter the show security application-tracking counters command.
AVT counters: Value Session create messages 1 Session close messages 1 Session volume updates 0 Failed messages 0
Verifying Security Flow Session Statistics
Purpose
Compare byte and packet counts in logged messages with the session statistics from the show security flow session command output.
Action
From operational mode, enter the show security flow session command.
Flow Sessions on FPC6 PIC0: Session ID: 120000044, Policy name: policy-in-out/4, Timeout: 1796, Valid In: 192.0.2.1/24 --> 198.51.100.0/21;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 1032 Out: 198.51.100.0/24 --> 192.0.2.1//39075;tcp, If: ge-0/0/1.0, Pkts: 24, Bytes: 1442 Valid sessions: 1 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Total sessions: 1
Byte and packet totals in the session statistics should approximate the counts logged by AppTrack but might not be exactly the same. AppTrack counts only incoming bytes and packets. System-generated packets are not included in the total, and dropped packets are not deducted.
Verifying Application System Cache Statistics
Purpose
Compare cache statistics such as IP address, port, protocol, and service for an application from the show services application-identification application-system-cache command output.
Action
From operational mode, enter the show services application-identification application-system-cache command.
Verifying the Status of Application Identification Counter Values
Purpose
Compare session statistics for application identification counter values from the show services application-identification counter command output.
Action
From operational mode, enter the show services application-identification counter command.
See also
Configuring AppTrack When SSL Proxy Is Enabled
This configuration procedure describes how AppTrack supports AppID functionality when SSL proxy is enabled.
Requirements
Before you begin:
Create zones. See Example: Creating Security Zones.
Create an SSL proxy profile that enables SSL proxy by means of a policy. See Configuring SSL Forward Proxy.
Overview
You can configure AppTrack either in the to or from zones. This example shows how to configure AppTrack in a to zone in a policy rule when SSL proxy is enabled.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
In this example, you configure application tracking and permit application services in an SSL proxy profile configuration.
- Configure application tracking in a to-zone (you can also
configure using a from-zone).[edit security policies]user@host# set security zones security-zone Z_1 application-tracking
- Configure SSL proxy profile.[edit security policies from-zone Z_1 to-zone Z_2 policy policy1]set match source-address anyset match destination-address anyset match application junos-httpsset then permit application-services ssl-proxy profile-name ssl-profile-1set then permit
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
Verify that the configuration is working properly. Verification in AppTrack works similarly to verification in AppFW. See the verification section of Example: Configuring Application Firewall When SSL Proxy Is Enabled.
See also
Disabling AppTrack
Application tracking is enabled by default. You can disable application tracking without deleting the zone configuration.
To disable application tracking:
If application tracking has been previously disabled and you want to reenable it, delete the configuration statement that specifies disabling of application tracking:
If you are finished configuring the device, commit the configuration.
To verify the configuration, enter the show security application-tracking command.