Application Tracking

 

Application tracking (AppTrack) is a logging and reporting tool that can be used to share information for application visibility. AppTrack sends log messages through syslog providing application activity update messages. For more information, see the following topics:

Understanding Application Tracking

AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. Juniper Secure Analytics (formally known as STRM) retrieves the data and provides flow-based application visibility.

AppTrack messages are similar to session logs and use syslog or structured syslog formats. The message also includes an application field for the session. If AppTrack identifies a custom-defined application and returns an appropriate name, the custom application name is included in the log message. (If the application identification process fails or has not yet completed when an update message is triggered, the message specifies none in the application field.)

AppTrack supports both IPv4 and IPv6 addressing. Related messages display addresses in the appropriate IPv4 or IPv6 format.

User identity details such as user name and user role have been added to the AppTrack session create, session close, and volume update logs. These fields will contain the user name and role associated with the policy match. The logging of user name and roles is enabled only for security policies that provide UAC enforcement. For security policies without UAC enforcement, the user name and user role fields are displayed as N/A. The user name is displayed as unauthenticated user and user role is displayed as N/A, if the device cannot retrieve information for that session because there is no authentication table entry for that session or because logging of this information is disabled. The user role field in the log contains the list of all the roles performed by the user if match criteria is specific, authenticated user, or any, and the user name field in the log contains the correct user name. The user role field in the log will contain N/A if the match criteria and the user name field in the log contain unauthenticated user or unknown user.

If you enable AppTrack for a zone and specify a session-update-interval time, whenever a packet is received, AppTrack checks whether the time since the start of the session or since the last update is greater than the update interval. If so, AppTrack updates the counts and sends an update message to the host. If a short-lived session starts and ends within the update interval, AppTrack generates a message only at session close.

When you want the initial update message to be sent earlier than the specified update interval, use the first-update-interval. The first-update-interval lets you enter a shorter interval for the first update only. Alternatively, you can generate the initial update message at session start by using the first-update option.

The close message updates the statistics for the last time and provides an explanation for the session closure. The following codes are used:

TCP RSTRST received from either end.
TCP FINFIN received from either end.
Response receivedResponse received for a packet request (such as icmp req-reply).
ICMP errorICMP error received (such as dest unreachable).
Aged outSession aged out.
ALGALG closed the session.
IDPIDP closed the session.
Parent closedParent session closed.
CLISession cleared by a CLI statement.
Policy deletePolicy marked for deletion.

Benefits of Application Tracking

  • Provides visibility into the types of applications traversing through an SRX Series device.

  • Enables you to gain insight into permitted applications and the risk they might pose.

  • Assists in managing bandwidth, reports active users and applications.

Application Tracking Log Messages Fields

Starting from Junos OS Release 15.1X49-D100, AppTrack session create, session close, and volume update logs include a new field called destination interface. You can use the destination interface field to see which egress interface is selected for the session when a advanced policy-based routing (APBR) is applied to that session and AppTrack is enabled and configured within any logical system.

Starting from Junos OS Release 15.1X49-D100, a new AppTrack log for route update is added to include APBR profile, rule, and routing instance details. When APBR is applied to a session, the new log is generated and the AppTrack session counter is updated to indicate the number of times a new route update log is generated. The AppTrack session close log is also updated to include APBR profile, rule, and routing instance details.

Starting from Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include the new fields category and subcategory. These fields provide general information about the application attributes. For example, the category field specifies the technology of the application (web, infrastructure) and subcategory field specifies the subcategory of the application (for example, social networking, news, and advertisements).

Because category and subcategory are not applicable for a custom application, the AppTrack log messages present the category as custom application and the subcategory as N/A.

For unknown applications, both category and subcategories are logged as N/A.

Examples of the log messages in structured syslog format:

APPTRACK_SESSION_CREATE user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" username="user1" roles="DEPT1" encrypted="UNKNOWN" destination-interface-name=”ge-0/0/0” category=”N/A” sub-category=”N/A”]

APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" routing-instance=“default” destination-interface-name=”st0.0” category=” Web” sub-category=”N/A”]

APPTRACK_SESSION_VOL_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]

APPTRACK_SESSION_ROUTE_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” category=”Web” sub-category=”Social-Networking”]

Starting in Junos OS Release 18.4R1 and Junos OS Release 18.3R2, in the APPTRACK_SESSION_ROUTE_UPDATE log, the encrypted field displays the value as N/A as shown in the following sample:

APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="251" destination-address="5.0.0.1" destination-port="250" service-name="None" application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="251" nat-destination-address="5.0.0.1" nat-destination-port="250" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="866" username="N/A" roles="N/A" encrypted="N/A" profile-name="profile1" rule-name="rule1" routing-instance="RI1" destination-interface-name="ge-0/0/2.0" category="Web" subcategory="N/A" apbr-policy-name="sla1" webfilter-category="N/A"]

Starting in Junos OS Release 18.4R1, in the APPTRACK_SESSION_CLOSE and APPTRACK_SESSION_CLOSE_LS log includes the multipath rule name as shown in the following sample:

2018-10-25T01:00:18.179-07:00 multihome-spoke RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="19.0.0.2" source-port="34880" destination-address="9.0.0.2" destination-port="80" service-name="junos-http" application="HTTP" nested-application="GOOGLE-GEN" nat-source-address="19.0.0.2" nat-source-port="34880" nat-destination-address="9.0.0.2" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="trust" destination-zone-name="untrust1" session-id-32="9625" packets-from-client="347" bytes-from-client="18199" packets-from-server="388" bytes-from-server="131928" elapsed-time="411" username="N/A" roles="N/A" encrypted="No" profile-name="apbr1" rule-name="rule1" routing-instance="TC1_VPN" destination-interface-name="gr-0/0/0.4" uplink-incoming-interface-name="" uplink-tx-bytes="0" uplink-rx-bytes="0" multipath-rule-name="multi1"]

Starting from Junos OS Release 18.2R1, AppTrack session close logs include new fields to record the packet bytes transmitted and received through the uplink interfaces. The packet bytes transmitted and received through the uplink interfaces are reported by uplink-tx-bytes, uplink-rx-bytes, and uplink-incoming-interface-name fields.

Example:

APPTRACK_SESSION_CLOSE [user@host.1.1.1.2.137 reason="TCP FIN" source-address="4.0.0.1" source-port="40297" destination-address="5.0.0.1" destination-port="110" service-name="junos-pop3" application="POP3" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="40297" nat-destination-address="5.0.0.1" nat-destination-port="110" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="UNTRUST" destination-zone-name="TRUST" session-id-32="81" packets-from-client="7" bytes-from-client="1959" packets-from-server="6" bytes-from-server="68643" elapsed-time="130" username="N/A" roles="N/A" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name="gr-0/0/0.0" uplink-tx-bytes="1959" uplink-rx-bytes="68643" uplink-incoming-interface-name="gr-0/0/0.0"]

A new syslog message RT_FLOW_NEXTHOP_CHANGE is generated whenever there is a change in the route or in the next-hop on the APBR and AppTrack enabled sessions.

Starting from Junos OS Release 18.2R1, new application tracking messages are added for AppQoE (application quality of experience).. The new Apptrack messages provide information such as active and passive metric report, switching of application traffic path as shown in the following samples:

APPQOE_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 source-address="20.1.1.1" source-port="47335" destination-address="151.101.9.67" destination-port="443" apbr-profile="apbrProf1" apbr-rule="rule1" application="HTTP" nested-application="CNN" group-name="N/A" service-name="junos-https" protocol-id="6" source-zone-name="trust" destination-zone-name="untrust" session-id-32="611" username="N/A" roles="N/A" routing-instance="ri3" destination-interface-name="gr-0/0/0.2" ip-dscp="0" sla-rule="SLA1" elapsed-time="2" bytes-from-client="675" bytes-from-server="0" packets-from-client="7" packets-from-server="0" previous-interface="gr-0/0/0.2" active-probe-params="PP1" destination-group-name="p1"]

APPQOE_PASSIVE_SLA_METRIC_REPORT [junos@2636.1.1.1.2.129 source-address="20.1.1.1" source-port="47335" destination-address="151.101.9.67" destination-port="443" apbr-profile="apbrProf1" apbr-rule="rule1" application="HTTP" nested-application="CNN" group-name="N/A" service-name="junos-https" protocol-id="6" source-zone-name="trust" destination-zone-name="untrust" session-id-32="611" username="N/A" roles="N/A" routing-instance="ri3" destination-interface-name="gr-0/0/0.2" ip-dscp="0" sla-rule="SLA1" ingress-jitter="0" egress-jitter="0" rtt-jitter="0" rtt="0" pkt-loss="0" bytes-from-client="1073" bytes-from-server="6011" packets-from-client="12" packets-from-server="13" monitoring-time="990" active-probe-params="PP1" destination-group-name="p1"]

APPQOE_SLA_METRIC_VIOLATION [junos@2636.1.1.1.2.129 source-address="20.1.1.1" source-port="35264" destination-address="151.101.193.67" destination-port="443" apbr-profile="apbrProf1" apbr-rule="rule1" application="HTTP" nested-application="CNN" group-name="N/A" service-name="junos-https" protocol-id="6" source-zone-name="trust" destination-zone-name="untrust" session-id-32="614" username="N/A" roles="N/A" routing-instance="ri3" destination-interface-name="gr-0/0/0.2" ip-dscp="0" sla-rule="SLA1" ingress-jitter="104" egress-jitter="7" rtt-jitter="97" rtt="1142" pkt-loss="0" target-jitter-type="2" target-jitter="20000" target-rtt="500" target-pkt-loss="1" violation-reason="1" jitter-violation-count="0" pkt-loss-violation-count="0" rtt-violation-count="1" violation-duration="0" bytes-from-client="2476" bytes-from-server="163993" packets-from-client="48" packets-from-server="150" monitoring-time="948" active-probe-params="PP1" destination-group-name="p1"]

APPQOE_ACTIVE_SLA_METRIC_REPORT [junos@2636.1.1.1.2.129 source-address="6.1.1.2" source-port="36051" destination-address="6.1.1.1" destination-port="36050" application="UDP" protocol-id="17" destination-zone-name="untrust" routing-instance="ri3" destination-interface-name="gr-0/0/0.3" ip-dscp="128" ingress-jitter="26" egress-jitter="31" rtt-jitter="8" rtt="2383" pkt-loss="0" bytes-from-client="870240" bytes-from-server="425280" packets-from-client="4440" packets-from-server="4430" monitoring-time="30" active-probe-params="PP1" destination-group-name="p1"]

Starting in Junos OS Release 15.1X49-D170, AppTrack session create, session close, route update, and volume update logs are enhanced to include VRF-name for both Source-VRF and Destination-VRF. The new Apptrack messages provide information such as VRF-name for both Source-VRF and Destination-VRF as shown in the following sample:

<14>1 2018-10-03T00:35:22.015-07:00 pdt-porter-vsrx4 RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="1.3.0.10" source-port="990" destination-address="8.3.0.10" destination-port="8080" service-name="None" application="HTTP" nested-application="UNKNOWN" nat-source-address="1.3.0.10" nat-source-port="990" nat-destination-address="8.3.0.10" nat-destination-port="8080" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="trust_lan2" destination-zone-name="sdwan" session-id-32="432399" username="N/A" roles="N/A" encrypted="No" profile-name="p2" rule-name="r1" routing-instance="Default_VPN_LAN2" destination-interface-name="gr-0/0/0.0" source-l3vpn-vrf-group-name="vpn-A" destination-l3vpn-vrf-group-name="vpn-A"]

<14>1 2018-10-03T00:35:22.015-07:00 pdt-porter-vsrx4 RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="1.3.0.10" source-port="990" destination-address="8.3.0.10" destination-port="8080" service-name="None" application="HTTP" nested-application="UNKNOWN" nat-source-address="1.3.0.10" nat-source-port="990" nat-destination-address="8.3.0.10" nat-destination-port="8080" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="trust_lan2" destination-zone-name="sdwan" session-id-32="432399" username="N/A" roles="N/A" encrypted="No" destination-interface-name="gr-0/0/0.0" source-l3vpn-vrf-group-name="vpn-A" destination-l3vpn-vrf-group-name="vpn-A’"]

<14>1 2019-01-21T04:02:51.036-08:00 idpdevesx6-vsrx2-10 RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="34219" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="34219" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="policy1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="4" packets-from-client="6" bytes-from-client="425" packets-from-server="5" bytes-from-server="561" elapsed-time="1" username="N/A" roles="N/A" encrypted="No" profile-name="p1" rule-name="r1" routing-instance="default" destination-interface-name="ge-0/0/1.0" source-l3vpn-vrf-group-name="vpn-A" destination-l3vpn-vrf-group-name="vpn-A"]

<14>1 2019-01-21T04:02:51.036-08:00 idpdevesx6-vsrx2-10 RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="4.0.0.1" source-port="34219" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="34219" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="policy1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="4" packets-from-client="6" bytes-from-client="425" packets-from-server="5" bytes-from-server="561" elapsed-time="1" username="N/A" roles="N/A" encrypted="No" profile-name="p1" rule-name="r1" routing-instance="default" destination-interface-name="ge-0/0/1.0" uplink-incoming-interface-name="" uplink-tx-bytes="0" uplink-rx-bytes="0" multipath-rule-name="N/A" source-l3vpn-vrf-group-name="vpn-A" destination-l3vpn-vrf-group-name="vpn-A"]

Example: Configuring Application Tracking

This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.

Requirements

Before you configure AppTrack, ensure that you have downloaded the application signature package, installed it, and verified that the application identification configuration is working properly. See Downloading and Installing the Junos OS Application Signature Package Manually or Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package. Use the show services application-identification status command to verify the status.

Overview

Application identification is enabled by default and is automatically turned on when you configure the AppTrack, AppFW, or IDP service. The Juniper Secure Analytics (JSA) retrieves the data and provides flow-based application visibility. STRM includes the support for AppTrack Reporting and includes several predefined search templates and reports.

Configuration

This example shows how to enable application tracking for the security zone named trust. The first log message is to be generated when the session starts, and update messages should be sent every 4 minutes after that. A final message should be sent at session end.

The example also shows how to add the remote syslog device configuration to receive AppTrack log messages in sd-syslog format. The source IP address that is used when exporting security logs is 192.0.2.1, and the security logs are sent to the host located at address 192.0.2.2.

Note

On all SRX Series devices, J-Web pages for AppSecure Services are preliminary. We recommend using CLI for configuration of AppSecure features.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Note

Changing the session-update-interval and the first-update-interval is not necessary in most situations. The commands are included in this example to demonstrate their use.

Note

On SRX5600, and SRX5800 devices, if the syslog configuration does not specify a destination port, the default destination port will be the syslog port. If you specify a destination port in the syslog configuration, then that port will be used instead.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.

To configure AppTrack:

  1. Add the remote syslog device configuration to receive Apptrack messages in sd-syslog format.
  2. Enable AppTrack for the security zone trust.
  3. (Optional) For this example, generate update messages every 4 minutes.

    The default interval between messages is 5 minutes. If a session starts and ends within this update interval, AppTrack generates one message at session close. However, if the session is long-lived, an update message is sent every 5 minutes. The session-update-interval minutes is configurable as shown in this step.

  4. (Optional) For this example, generate the first message when the session starts.

    By default, the first message is generated after the first session update interval elapses. To generate the first message at a different time than this, use the first-update option (generate the first message at session start) or the first-update-interval minutes option (generate the first message after the specified minutes). For example, enter the following command to generate the first message one minute after session start.

    Note

    The first-update option and the first-update-interval minutes option are mutually exclusive. If you specify both, the first-update-interval value is ignored.

    Once the first message has been generated, an update message is generated each time the session update interval is reached.

Results

From configuration mode, confirm your configuration by entering the show security and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Use the JSA product on the remote logging device to view the AppTrack log messages.

To confirm that the configuration is working properly, you can also perform these tasks on the SRX Series device:

Reviewing AppTrack Statistics

Purpose

Review AppTrack statistics to view characteristics of the traffic being tracked.

Action

From operational mode, enter the show services application-identification statistics applications command.

Note

For more information on the show services application-identification statistics applications command, see show services application-identification statistics applications.

Verifying AppTrack Counter Values

Purpose

View the AppTrack counters periodically to monitor logging activity.

Action

From operational mode, enter the show security application-tracking counters command.

Verifying Security Flow Session Statistics

Purpose

Compare byte and packet counts in logged messages with the session statistics from the show security flow session command output.

Action

From operational mode, enter the show security flow session command.

Byte and packet totals in the session statistics should approximate the counts logged by AppTrack but might not be exactly the same. AppTrack counts only incoming bytes and packets. System-generated packets are not included in the total, and dropped packets are not deducted.

Verifying Application System Cache Statistics

Purpose

Compare cache statistics such as IP address, port, protocol, and service for an application from the show services application-identification application-system-cache command output.

Action

From operational mode, enter the show services application-identification application-system-cache command.

Verifying the Status of Application Identification Counter Values

Purpose

Compare session statistics for application identification counter values from the show services application-identification counter command output.

Action

From operational mode, enter the show services application-identification counter command.

Example: Configuring Application Tracking When SSL Proxy Is Enabled

This example describes how AppTrack supports AppID functionality when SSL proxy is enabled.

Requirements

Before you begin:

Overview

You can configure AppTrack either in the to or from zones. This example shows how to configure AppTrack in a to zone in a policy rule when SSL proxy is enabled.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

In this example, you configure application tracking and permit application services in an SSL proxy profile configuration.

  1. Configure application tracking in a to-zone (you can also configure using a from-zone).
  2. Configure SSL proxy profile.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Note

Verify that the configuration is working properly. Verification in AppTrack works similarly to verification in AppFW. See the verification section of Example: Configuring Application Firewall When SSL Proxy Is Enabled.

Disabling Application Tracking

Application tracking is enabled by default. You can disable application tracking without deleting the zone configuration.

To disable application tracking:

If application tracking has been previously disabled and you want to reenable it, delete the configuration statement that specifies disabling of application tracking:

If you are finished configuring the device, commit the configuration.

To verify the configuration, enter the show security application-tracking command.

Release History Table
Release
Description
Starting from Junos OS Release 18.2R1, AppTrack session close logs include new fields to record the packet bytes transmitted and received through the uplink interfaces.
Starting from Junos OS Release 18.2R1, new application tracking messages are added for AppQoE (application quality of experience).
Starting from Junos OS Release 17.4R1, AppTrack session create, session close, and volume update logs include the new fields category and subcategory
Starting in Junos OS Release 15.1X49-D170, AppTrack session create, session close, route update, and volume update logs are enhanced to include VRF-name for both Source-VRF and Destination-VRF.
Starting from Junos OS Release 15.1X49-D100, AppTrack session create, session close, and volume update logs include a new field called destination interface.
Starting from Junos OS Release 15.1X49-D100, a new AppTrack log for route update is added to include APBR profile, rule, and routing instance details.