Related Documentation
- SRX Series
- Example: Configuring Junos OS Application Identification Custom Application Definitions
- Understanding the Junos OS Application Identification Application Package
- Understanding Junos OS Application Identification Services
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding Junos OS Application Identification Custom Application Definitions
Application identification supports user-defined custom application signatures, nested application signatures, and signature groups. Custom application signatures are unique to your environment and are not part of the predefined application package. When you update or uninstall the application package, the custom signatures and signature groups are not modified or removed.
 | Note: The uninstall operation will fail if any active security policies, custom application signatures, or signature groups reference predefined application signatures or signature groups in the Junos OS configuration. |
To create custom application signatures, use the CLI to specify a name, the protocol and port where the application runs, the signature pattern, and match criteria. For ease of use, copy a similar predefined application signature or group, and modify the characteristics so that it identifies the unique application running in your environment.
You can view application signatures and application signature groups by using the show services application-identification application and show services application-identification group commands.
You can copy a predefined application signature or signature group to use as a model by entering the request services application-identification application copy or the request services application-identification group copy command. With this command, your copy is automatically named by replacing the “junos” prefix with the prefix “my”. (The “junos” prefix is reserved for predefined application signatures and groups.) You can copy the same predefined application signature and signature group only once. Duplicate custom signatures and groups are not allowed. Rename your custom application signature or signature group to a unique name appropriate to your environment.
Unlike predefined signatures and groups, custom application signatures and groups are saved in the configuration hierarchy, not in the predefined application signature database. Custom application signatures and signature groups are located in the [services application-identification] hierarchy. Custom application signatures for nested applications are located in the [services application-identification nested-application] hierarchy.
The ID and order fields from the predefined signature are cleared when copied. New entries are generated automatically when the signature or group configuration changes are committed.
This topic contains the following sections:
Custom Application Definitions
Table 1 lists and describes the attributes available for creating a custom application signature. The hierarchy level is [edit services application-identification application application-name].
Table 1: Custom Application Signature Attributes
Attribute | Description |
|---|---|
application-name | Name of the custom application signature or signature group. Must be a unique name with a maximum length of 32 characters. (Required) |
| Signature Attributes | |
signature | Defines the application signature attributes for pattern matching. (Required) |
client-to-server | Defines the attributes for traffic in the client-to-server direction. dfa-pattern: Specifies the pattern to be matched for the signature. Maximum length is 1023. (Optional) regex: Specifies a regular expression to be matched for client-to-server traffic. |
insert-before | Locates a custom application signature before another named application signature in the order of pattern matching. When multiple patterns are matched for the same session, the lowest order number takes the highest priority. If no insert-before <signature name> is entered, the specified custom signature is inserted after all predefined signatures. Order values are internally generated every time a signature changes. Note: When multiple signatures are matched for the same session and the session destination port matches one of the signature's default ports, the “port” number will take precedence over the “insert-before” attribute as the higher priority. In addition, the following conditions apply to install and uninstall operations:
See Table 2, which shows how using the insert-before attribute reorders signatures in the Junos OS configuration. |
min-data | The minimum number of bytes or packets to which the dfa-pattern will be applied. Default is 10; range is 4 through 1024 (bytes). |
port-range | Default ranges: TCP/0 through 65,535; UDP/0 through 65,535. (Optional) |
server-to-client | Defines the attributes for traffic in the server-to-client direction. dfa-pattern: Specifies the pattern to be matched for the signature. Maximum length is 1023. (Optional) regex: Specifies a regular expression to be matched for server-to-client traffic. |
Table 2 shows how you can add a custom signature and reorder the list of signatures using the insert-before attribute.
Table 2: Reordering Signatures with the insert-before Attribute
| Signatures | Order |
Predefined signature A | 1 |
Predefined signature B | 2 |
Predefined signature C | 3 |
| Insert custom signature A before predefined signature B: | |
Predefined signature A | 1 |
Custom signature A | 2 |
Predefined signature B | 3 |
Predefined signature C | 4 |
| Insert custom signature B before custom signature A: | |
Predefined signature A | 1 |
Custom signature B | 2 |
Custom signature A | 3 |
Predefined signature B | 4 |
Predefined signature C | 5 |
Custom Nested Application Definitions
Table 3 lists and describes the attributes available for creating a custom nested application signature. The hierarchy level is [edit services application-identification nested-application nested-application-name].
Table 3: Custom Nested Application Signature Attributes
Attribute | Description |
|---|---|
nested-application-name | Name of the custom nested application signature. Must be a unique name with a maximum length of 32 characters. (Required) |
protocol | The protocol that will be monitored to identify nested applications. HTTP is supported. |
| Signature Attributes | |
signature name | Name of the custom nested application signature. Must be a unique name with a maximum length of 32 characters. (Required) |
chain-order | Signatures can contain multiple members. If chain-order is on, those members are read in order. The default for this option is no chain order. If a signature contains only one member, this option is ignored. |
insert-before | Locates the custom application signature before another named application signature in the order of pattern matching. See Table 1 for a description of this attribute. |
maximum-transactions | The maximum number of transactions that should occur before a match is made. |
member name | Defines a member name for a custom nested application signature. Custom signatures can contain multiple members that define attributes for an application. (The member name range is m01 through m16.) |
context | Defines a service-specific context, such as http-url. |
direction | The connection direction of the packets to apply pattern matching. The options are any, client-to-server, or server-to-client. |
pattern | Define the dfa pattern to match in the context. |
Related Documentation
- SRX Series
- Example: Configuring Junos OS Application Identification Custom Application Definitions
- Understanding the Junos OS Application Identification Application Package
- Understanding Junos OS Application Identification Services
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
