Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Application Properties

 

To configure application properties, include the application statement at the [edit applications] hierarchy level:

You can group application objects by configuring the application-set statement; for more information, see Configuring Application Sets.

This section includes the following tasks for configuring applications:

Configuring an Application Protocol

The application-protocol statement allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. To configure application protocols, include the application-protocol statement at the [edit applications application application-name] hierarchy level:

Table 1 shows the list of supported protocols. For more information about specific protocols, see ALG Descriptions.

Table 1: Application Protocols Supported by Services Interfaces

Protocol Name

CLI Value

Comments

Bootstrap protocol (BOOTP)

bootp

Supports BOOTP and dynamic host configuration protocol (DHCP).

Distributed Computing Environment (DCE) remote procedure call (RPC)

dce-rpc

Requires the protocol statement to have the value udp or tcp. Requires a uuid value. You cannot specify destination-port or source-port values.

DCE RPC portmap

dce-rpc-portmap

Requires the protocol statement to have the value udp or tcp. Requires a destination-port value.

Domain Name System (DNS)

dns

Requires the protocol statement to have the value udp. This application protocol closes the DNS flow as soon as the DNS response is received.

Exec

exec

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value.

FTP

ftp

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value.

H.323

h323

IKE ALG

ike-esp-nat

Requires the protocol statement to have the value udp and requires the destination-port value to be 500.

Internet Control Message Protocol (ICMP)

icmp

Requires the protocol statement to have the value icmp or to be unspecified.

Internet Inter-ORB Protocol

iiop

IP

ip

Login

login

NetBIOS

netbios

Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value.

NetShow

netshow

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value.

Point-to-Point Tunneling Protocol

pptp

RealAudio

realaudio

Real-Time Streaming Protocol (RTSP)

rtsp

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value.

RPC User Datagram Protocol (UDP) or TCP

rpc

Requires the protocol statement to have the value udp or tcp. Requires a rpc-program-number value. You cannot specify destination-port or source-port values.

RPC port mapping

rpc-portmap

Requires the protocol statement to have the value udp or tcp. Requires a destination-port value.

Shell

shell

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value.

Session Initiation Protocol

sip

SNMP

snmp

Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value.

SQLNet

sqlnet

Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port or source-port value.

Talk Program

talk

Trace route

traceroute

Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value.

Trivial FTP (TFTP)

tftp

Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value.

WinFrame

winframe

Note

You can configure application-level gateways (ALGs) for ICMP and trace route under stateful firewall, NAT, or CoS rules when twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Controller Protocol (PGCP). Twice NAT does not support any other ALGs. NAT applies only the IP address and TCP or UDP headers, but not the payload.

For more information about configuring twice NAT, see Junos Address Aware Network Addressing Overview.

Configuring the Network Protocol

The protocol statement allows you to specify which of the supported network protocols to match in an application definition. To configure network protocols, include the protocol statement at the [edit applications application application-name] hierarchy level:

You specify the protocol type as a numeric value; for the more commonly used protocols, text names are also supported in the command-line interface (CLI). Table 2 shows the list of the supported protocols.

Table 2: Network Protocols Supported by Services Interfaces

Network Protocol Type

CLI Value

Comments

IP Security (IPsec) authentication header (AH)

ah

External Gateway Protocol (EGP)

egp

IPsec Encapsulating Security Payload (ESP)

esp

Generic routing encapsulation (GR)

gre

ICMP

icmp

Requires an application-protocol value of icmp.

ICMPv6

icmp6

Requires an application-protocol value of icmp.

Internet Group Management Protocol (IGMP)

igmp

IP in IP

ipip

OSPF

ospf

Protocol Independent Multicast (PIM)

pim

Resource Reservation Protocol (RSVP)

rsvp

TCP

tcp

Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp.

UDP

udp

Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp.

For a complete list of possible numeric values, see RFC 1700, Assigned Numbers (for the Internet Protocol Suite).

Note

IP version 6 (IPv6) is not supported as a network protocol in application definitions.

By default, the twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations. For more information about configuring twice NAT, see Junos Address Aware Network Addressing Overview.

Configuring the ICMP Code and Type

The ICMP code and type provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ICMP settings, include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level:

You can include only one ICMP code and type value. The application-protocol statement must have the value icmp. Table 3 shows the list of supported ICMP values.

Table 3: ICMP Codes and Types Supported by Services Interfaces

CLI Statement

Description

icmp-code

This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type value, you must specify icmp-type along with icmp-code. For more information, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

parameter-problem: ip-header-bad (0), required-option-missing (1)

redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp-type

Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

Note

If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an ICMP error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction.

Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service.

Configuring Source and Destination Ports

The TCP or UDP source and destination port provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ports, include the destination-port and source-port statements at the [edit applications application application-name] hierarchy level:

You must define one source or destination port. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port; for constraints, see Table 1.

You can specify either a numeric value or one of the text synonyms listed in Table 4.

Table 4: Port Names Supported by Services Interfaces

Port Name

Corresponding Port Number

afs

1483

bgp

179

biff

512

bootpc

68

bootps

67

cmd

514

cvspserver

2401

dhcp

67

domain

53

eklogin

2105

ekshell

2106

exec

512

finger

79

ftp

21

ftp-data

20

http

80

https

443

ident

113

imap

143

kerberos-sec

88

klogin

543

kpasswd

761

krb-prop

754

krbupdate

760

kshell

544

ldap

389

login

513

mobileip-agent

434

mobilip-mn

435

msdp

639

netbios-dgm

138

netbios-ns

137

netbios-ssn

139

nfsd

2049

nntp

119

ntalk

518

ntp

123

pop3

110

pptp

1723

printer

515

radacct

1813

radius

1812

rip

520

rkinit

2108

smtp

25

snmp

161

snmptrap

162

snpp

444

socks

1080

ssh

22

sunrpc

111

syslog

514

tacacs-ds

65

talk

517

telnet

23

tftp

69

timed

525

who

513

xdmcp

177

zephyr-clt

2103

zephyr-hm

2104

For more information about matching criteria, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

Configuring the Inactivity Timeout Period

You can specify a timeout period for application inactivity. If the software has not detected any activity during the duration, the flow becomes invalid when the timer expires. To configure a timeout period, include the inactivity-timeout statement at the [edit applications application application-name] hierarchy level:

The default value is 14,400 seconds. The value you configure for an application overrides any global value configured at the [edit interfaces interface-name service-options] hierarchy level; for more information, see Configuring Default Timeout Settings for Services Interfaces.

Configuring an IKE ALG Application

Before Junos OS Release 17.4R1, Network Address Translation-Traversal (NAT-T) is not supported for the Junos VPN Site Secure suite of IPsec features on the MX Series routers. The IKE ALG enables the passing of IKEv1 and IPsec packets through NAPT-44 and NAT64 filters between IPsec peers that are not NAT-T compliant. This ALG supports only ESP tunnel mode. You can use the predefined IKE ALG application junos-ike, which has predefined values for the destination port (500), inactivity timeout (14,400 seconds), gate timeout (120 seconds), and ESP session idle timeout (800 seconds). If you want to use the IKE ALG with values different from the predefined junos-ike application, you need to configure a new IKE ALG application.

To configure an IKE ALG application:

  1. Specify a name for the application.
  2. Specify the IKE ALG.
  3. Specify the UDP protocol.
  4. Specify 500 for the destination port.
  5. Specify the number of seconds that the IKE session is inactive before it is deleted. The default is 14,400 seconds.
  6. Specify the number of seconds that can pass after IKE establishes the security association between the IPsec client and server and before the ESP traffic starts in both directions. If the ESP traffic has not started before this timeout value, the ESP gates are deleted and the ESP traffic is blocked. The default is 120 seconds.
  7. Specify the ESP session (IPsec data traffic) idle timeout in seconds. If no IPsec data traffic is passed on the ESP session in this time, the session is deleted. The default is 800 seconds.

Configuring SIP

The Session Initiation Protocol (SIP) is a generalized protocol for communication between endpoints involved in Internet services such as telephony, fax, video conferencing, instant messaging, and file exchange.

The Junos OS provides ALG services in accordance with the standard described in RFC 3261, SIP: Session Initiation Protocol. SIP flows under the Junos OS are as described in RFC 3665, Session Initiation Protocol (SIP) Basic Call Flow Examples.

Note

Before implementing the Junos OS SIP ALG, you should be familiar with certain limitations, discussed in Junos OS SIP ALG Limitations

The use of NAT in conjunction with the SIP ALG results in changes in SIP header fields due to address translation. For an explanation of these translations, refer to SIP ALG Interaction with Network Address Translation.

To implement SIP on adaptive services interfaces, you configure the application-protocol statement at the [edit applications application application-name] hierarchy level with the value sip. For more information about this statement, see Configuring an Application Protocol. In addition, there are two other statements you can configure to modify how SIP is implemented:

  • You can enable the router to accept any incoming SIP calls for the endpoint devices that are behind the NAT firewall. When a device behind the firewall registers with the proxy that is outside the firewall, the AS or Multiservices PIC maintains the registration state. When the learn-sip-register statement is enabled, the router can use this information to accept inbound calls. If this statement is not configured, no inbound calls are accepted; only the devices behind the firewall can call devices outside the firewall.

    To configure SIP registration, include the learn-sip-register statement at the [edit applications application application-name] hierarchy level:

    Note

    The learn-sip-register statement is not applicable to the Next Gen Services MX-SPC3.

    You can also manually inspect the SIP register by issuing the show services stateful-firewall sip-register command; for more information, see the Junos OS System Basics and Services Command Reference. The show services stateful-firewall sip-register command is not supported for Next Gen Services.

  • You can specify a timeout period for the duration of SIP calls that are placed on hold. When a call is put on hold, there is no activity and flows might time out after the configured inactivity-timeout period expires, resulting in call state teardown. To avoid this, when a call is put on hold, the flow timer is reset to the sip-call-hold-timeout cycle to preserve the call state and flows for longer than the inactivity-timeout period.

    Note

    The sip-call-hold-timeout statement is not applicable to the Next Gen Services MX-SPC3.

    To configure a timeout period, include the sip-call-hold-timeout statement at the [edit applications application application-name] hierarchy level:

    The default value is 7200 seconds and the range is from 0 through 36,000 seconds (10 hours).

SIP ALG Interaction with Network Address Translation

The Network Address Translation (NAT) protocol enables multiple hosts in a private subnet to share a single public IP address to access the Internet. For outgoing traffic, NAT replaces the private IP address of the host in the private subnet with the public IP address. For incoming traffic, the public IP address is converted back into the private address, and the message is routed to the appropriate host in the private subnet.

Using NAT with the Session Initiation Protocol (SIP) service is more complicated because SIP messages contain IP addresses in the SIP headers as well as in the SIP body. When using NAT with the SIP service, the SIP headers contain information about the caller and the receiver, and the device translates this information to hide it from the outside network. The SIP body contains the Session Description Protocol (SDP) information, which includes IP addresses and port numbers for transmission of the media. The device translates SDP information for allocating resources to send and receive the media.

How IP addresses and port numbers in SIP messages are replaced depends on the direction of the message. For an outgoing message, the private IP address and port number of the client are replaced with the public IP address and port number of the Juniper Networks firewall. For an incoming message, the public address of the firewall is replaced with the private address of the client.

When an INVITE message is sent out across the firewall, the SIP Application Layer Gateway (ALG) collects information from the message header into a call table, which it uses to forward subsequent messages to the correct endpoint. When a new message arrives, for example an ACK or 200 OK, the ALG compares the “From:, To:, and Call-ID:” fields against the call table to identify the call context of the message. If a new INVITE message arrives that matches the existing call, the ALG processes it as a REINVITE.

When a message containing SDP information arrives, the ALG allocates ports and creates a NAT mapping between them and the ports in the SDP. Because the SDP requires sequential ports for the Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) channels, the ALG provides consecutive even-odd ports. If it is unable to find a pair of ports, it discards the SIP message.

This topic contains the following sections:

Outgoing Calls

When a SIP call is initiated with a SIP request message from the internal to the external network, NAT replaces the IP addresses and port numbers in the SDP and binds the IP addresses and port numbers to the Juniper Networks firewall. Via, Contact, Route, and Record-Route SIP header fields, if present, are also bound to the firewall IP address. The ALG stores these mappings for use in retransmissions and for SIP response messages.

The SIP ALG then opens pinholes in the firewall to allow media through the device on the dynamically assigned ports negotiated based on information in the SDP and the Via, Contact, and Record-Route header fields. The pinholes also allow incoming packets to reach the Contact, Via, and Record-Route IP addresses and ports. When processing return traffic, the ALG inserts the original Contact, Via, Route, and Record-Route SIP fields back into packets.

Incoming Calls

Incoming calls are initiated from the public network to public static NAT addresses or to interface IP addresses on the device. Static NATs are statically configured IP addresses that point to internal hosts; interface IP addresses are dynamically recorded by the ALG as it monitors REGISTER messages sent by internal hosts to the SIP registrar. When the device receives an incoming SIP packet, it sets up a session and forwards the payload of the packet to the SIP ALG.

The ALG examines the SIP request message (initially an INVITE) and, based on information in the SDP, opens gates for outgoing media. When a 200 OK response message arrives, the SIP ALG performs NAT on the IP addresses and ports and opens pinholes in the outbound direction. (The opened gates have a short time-to-live, and they time out if a 200 OK response message is not received quickly.)

When a 200 OK response arrives, the SIP proxy examines the SDP information and reads the IP addresses and port numbers for each media session. The SIP ALG on the device performs NAT on the addresses and port numbers, opens pinholes for outbound traffic, and refreshes the timeout for gates in the inbound direction.

When the ACK arrives for the 200 OK, it also passes through the SIP ALG. If the message contains SDP information, the SIP ALG ensures that the IP addresses and port numbers are not changed from the previous INVITE—if they are, the ALG deletes old pinholes and creates new pinholes to allow media to pass through. The ALG also monitors the Via, Contact, and Record-Route SIP fields and opens new pinholes if it determines that these fields have changed.

Forwarded Calls

A forwarded call is when, for example, user A outside the network calls user B inside the network, and user B forwards the call to user C outside the network. The SIP ALG processes the INVITE from user A as a normal incoming call. But when the ALG examines the forwarded call from B to C outside the network and notices that B and C are reached using the same interface, it does not open pinholes in the firewall, because media will flow directly between user A and user C.

Call Termination

The BYE message terminates a call. When the device receives a BYE message, it translates the header fields just as it does for any other message. But because a BYE message must be acknowledged by the receiver with a 200 OK, the ALG delays call teardown for five seconds to allow time for transmission of the 200 OK.

Call Re-INVITE Messages

Re-INVITE messages add new media sessions to a call and remove existing media sessions. When new media sessions are added to a call, new pinholes are opened in the firewall and new address bindings are created. The process is identical to the original call setup. When one or more media sessions are removed from a call, pinholes are closed and bindings released just as with a BYE message.

Call Session Timers

The SIP ALG uses the Session-Expires value to time out a session if a Re-INVITE or UPDATE message is not received. The ALG gets the Session-Expires value, if present, from the 200 OK response to the INVITE and uses this value for signaling timeout. If the ALG receives another INVITE before the session times out, it resets all timeout values to this new INVITE or to default values, and the process is repeated.

As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist. This ensures that the device is protected should one of the following events occur:

  • End systems crash during a call and a BYE message is not received.

  • Malicious users never send a BYE in an attempt to attack a SIP ALG.

  • Poor implementations of SIP proxy fail to process Record-Route and never send a BYE message.

  • Network failures prevent a BYE message from being received.

Call Cancellation

Either party can cancel a call by sending a CANCEL message. Upon receiving a CANCEL message, the SIP ALG closes pinholes through the firewall—if any have been opened—and releases address bindings. Before releasing the resources, the ALG delays the control channel age-out for approximately five seconds to allow time for the final 200 OK to pass through. The call is terminated when the five second timeout expires, regardless of whether a 487 or non-200 response arrives.

Forking

Forking enables a SIP proxy to send a single INVITE message to multiple destinations simultaneously. When the multiple 200 OK response messages arrive for the single call, the SIP ALG parses but updates call information with the first 200 OK messages it receives.

SIP Messages

The SIP message format consists of a SIP header section and the SIP body. In request messages, the first line of the header section is the request line, which includes the method type, request-URI, and protocol version. In response messages, the first line is the status line, which contains a status code. SIP headers contain IP addresses and port numbers used for signaling. The SIP body, separated from the header section by a blank line, is reserved for session description information, which is optional. Junos OS currently supports the SDP only. The SIP body contains IP addresses and port numbers used to transport the media.

SIP Headers

In the following sample SIP request message, NAT replaces the IP addresses in the header fields to hide them from the outside network.

How IP address translation is performed depends on the type and direction of the message. A message can be any of the following:

  • Inbound request

  • Outbound response

  • Outbound request

  • Inbound response

Table 5 shows how NAT is performed in each of these cases. Note that for several of the header fields the ALG determine more than just whether the messages comes from inside or outside the network. It must also determine what client initiated the call, and whether the message is a request or response.

Table 5: Requesting Messages with NAT Table

Inbound Request

(from public to private)

To:

Replace domain with local address

From:

None

Call-ID:

None

Via:

None

Request-URI:

Replace ALG address with local address

Contact:

None

Record-Route:

None

Route:

None

Outbound Response

(from private to public)

To:

Replace ALG address with local address

From:

None

Call-ID:

None

Via:

None

Request-URI:

N/A

Contact:

Replace local address with ALG address

Record-Route:

Replace local address with ALG address

Route:

None

Outbound Request

(from private to public)

To:

None

From:

Replace local address with ALG address

Call-ID:

None

Via:

Replace local address with ALG address

Request-URI:

None

Contact:

Replace local address with ALG address

Record-Route:

Replace local address with ALG address

Route:

Replace ALG address with local address

Outbound Response

(from public to private)

To:

None

From:

Replace ALG address with local address

Call-ID:

None

Via:

Replace ALG address with local address

Request-URI:

N/A

Contact:

None

Record-Route:

Replace ALG address with local address

Route:

Replace ALG address with local address

SIP Body

The SDP information in the SIP body includes IP addresses the ALG uses to create channels for the media stream. Translation of the SDP section also allocates resources, that is, port numbers to send and receive the media.

The following excerpt from a sample SDP section shows the fields that are translated for resource allocation.

SIP messages can contain more than one media stream. The concept is similar to attaching multiple files to an e-mail message. For example, an INVITE message sent from a SIP client to a SIP server might have the following fields:

Junos OS supports up to 6 SDP channels negotiated for each direction, for a total of 12 channels per call.

Junos OS SIP ALG Limitations

The following limitations apply to configuration of the SIP ALG:

  • Only the methods described in RFC 3261 are supported.

  • Only SIP version 2 is supported.

  • TCP is not supported as a transport mechanism for signaling messages for MS-MPCs but is supported for Next Gen Services.

  • Do not configure the SIP ALG when using STUN. if clients use STUN/TURN to detect the firewall or NAT devices between the caller and responder or proxy, the client attempts to best-guess the NAT device behavior and act accordingly to place the call.

  • On MS-MPCs, do not use the endpoint-independent mapping NAT pool option in conjunction with the SIP ALG. Errors will result. This does not apply to Next Gen Services.

  • IPv6 signaling data is not supported for MS-MPCs but is supported for Next Gen Services.

  • Authentication is not supported.

  • Encrypted messages are not supported.

  • SIP fragmentation is not supported for MS-MPCs but is supported for Next Gen Services.

  • The maximum UDP packet size containing a SIP message is assumed to be 9 KB. SIP messages larger than this are not supported.

  • The maximum number of media channels in a SIP message is assumed to be six.

  • Fully qualified domain names (FQDNs) are not supported in critical fields.

  • QoS is not supported. SIP supports DSCP rewrites.

  • High availability is not supported, except for warm standby.

  • A timeout setting of never is not supported on SIP or NAT.

  • Multicast (forking proxy) is not supported.

Configuring an SNMP Command for Packet Matching

You can specify an SNMP command setting for packet matching. To configure SNMP, include the snmp-command statement at the [edit applications application application-name] hierarchy level:

The supported values are get, get-next, set, and trap. You can configure only one value for matching. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value snmp. For information about specifying the application protocol, see Configuring an Application Protocol.

Configuring an RPC Program Number

You can specify an RPC program number for packet matching. To configure an RPC program number, include the rpc-program-number statement at the [edit applications application application-name] hierarchy level:

The range of values used for DCE or RPC is from 100,000 through 400,000. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value rpc. For information about specifying the application protocol, see Configuring an Application Protocol.

Configuring the TTL Threshold

You can specify a trace route time-to-live (TTL) threshold value, which controls the acceptable level of network penetration for trace routing. To configure a TTL value, include the ttl-threshold statement at the [edit applications application application-name] hierarchy level:

The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value traceroute. For information about specifying the application protocol, see Configuring an Application Protocol.

Configuring a Universal Unique Identifier

You can specify a Universal Unique Identifier (UUID) for DCE RPC objects. To configure a UUID value, include the uuid statement at the [edit applications application application-name] hierarchy level:

The uuid value is in hexadecimal notation. The application-protocol statement at the [edit applications application application-name hierarchy level must have the value dce-rpc. For information about specifying the application protocol, see Configuring an Application Protocol. For more information on UUID numbers, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.