Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring AppTrack

    This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.

    Requirements

    Before you configure AppTrack, it is important that you understand conceptual information about AppTrack and Junos OS application identification. See Understanding AppTrack and Understanding Junos OS Application Identification Services.

    Overview

    Application identification is enabled by default and is automatically turned on when you configure the AppTrack, AppFW, or IDP service. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility. STRM includes the support for AppTrack Reporting and includes several predefined search templates and reports

    Configuration

    This example shows how to enable application tracking for the security zone named trust. The first log message is to be generated when the session starts, and update messages should be sent every 4 minutes after that. A final message is sent at session end.

    The example also shows how to configure the remote syslog device to receive AppTrack log messages. The source IP address that is used when exporting security logs is 5.0.0.254, and the security logs are sent to the host located at address 5.0.0.1.

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    Note: Changing the session-update-interval and the first-update-interval is not necessary in most situations. The commands are included in this example to demonstrate their use.

    set security log format syslogset security log stream stream-data host 5.0.0.1 set security log source-address 5.0.0.254 set security zones security-zone trust application- tracking set security application-tracking session-update-interval 4set security application-tracking first-update

    Note: On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if the syslog configuration does not specify a destination port, the default destination port will be the syslog port. If you specify a destination port in the syslog configuration, then that port will be used instead

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure AppTrack:

    1. Configure the remote syslog device to receive Apptrack messages.
      [edit]user@host# set security log format sd-syslog user@host# set security log stream stream-data host 5.0.0.1user@host# set security log source-address 5.0.0.254
    2. Enable AppTrack for the security zone.
      [edit security]user@host# set security zones security-zone trust application-tracking
    3. (Optional) Generate update messages every 4 minutes.
      [edit security]user@host# set application-tracking session-update-interval 4

      The default interval between messages is 5 minutes. If a session starts and ends within this update interval, AppTrack generates one message at session close. However, if the session is long-lived, an update message is sent every 5 minutes. The session-update-interval minutes is configurable as shown in this step.

    4. (Optional) Generate the first message when the session starts.
      [edit security]user@host# set application-tracking first-update

      By default, the first message is generated after the first session update interval elapses. To generate the first message at a different time than this, use the first-update option (generate the first message at session start) or the first-update-interval minutes option (generate the first message after the specified minutes). For example, enter the following command to generate the first message one minute after session start.

      [edit security]user@host# set application-tracking first-update-interval 1

      Note: The first-update option and the first-update-interval minutes option are mutually exclusive. If you specify both, the first-update-interval value is ignored.

      Once the first message has been generated, an update message is generated each time the session update interval is reached.

    Results

    From configuration mode, confirm your configuration by entering the show security and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    [edit]user@host# show security
    ...application-tracking {first-update;session-update-interval 4;}log {format sd-syslog;source-address 5.0.0.254;stream strm {host {5.0.0.1;}}}...
    [edit]user@host# show security zones...security-zone trust {...application-tracking;}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Use the STRM product on the remote logging device to view the AppTrack log messages.

    To confirm that the configuration is working properly, you can also perform these tasks on the SRX Series device:

    Reviewing AppTrack Statistics

    Purpose

    Review AppTrack statistics to view characteristics of the traffic being tracked.

    Action

    From operational mode, enter the show security application-tracking statistics applications command.

    user@host> show security application-tracking statistics applications
    Last Reset: 2012-02-14 21:23:45 UTC

Application    Sessions              Bytes    Encrypted
HTTP                  1               2291          Yes
HTTP                  1                942           No
SSL                   1               2291          Yes
unknown               1                100           No
unknown               1                100          Yes

    Verifying AppTrack Operation

    Purpose

    View the AppTrack counters periodically to monitor logging activity.

    Action

    From operational mode, enter the show application-tracking counters command.

    user@host> show security application-tracking counters
    AVT counters:              				Value
 Session create messages            1
 Session close messages             1
 Session volume updates             0
 Failed messages                    0

    Verifying Security Flow Session Statistics

    Purpose

    Compare byte and packet counts in logged messages with the session statistics from the show security flow session command output.

    Action

    From operational mode, enter the show security flow session command.

    user@host> show security flow session
    Flow Sessions on FPC6 PIC0:

Session ID: 120000044, Policy name: policy-in-out/4, Timeout: 1796, Valid
In: 4.0.0.1/39075 --> 5.0.0.1/21;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 1032
Out: 5.0.0.1/21 --> 4.0.0.1/39075;tcp, If: ge-0/0/1.0, Pkts: 24, Bytes: 1442

Valid sessions: 1
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 1

    Byte and packet totals in the session statistics should approximate the counts logged by AppTrack but might not be exactly the same. AppTrack counts only incoming bytes and packets. System-generated packets are not included in the total, and dropped packets are not deducted.

    Verifying Application System Cache Statistics

    Purpose

    Compare cache statistics such as IP address, port, protocol, and service for an application from the show services application-identification application-system-cache command output.

    Action

    From operational mode, enter the show services application-identification application-system-cache command.

    Verifying the Status of Application Identification Counter Values

    Purpose

    Compare session statistics for application identification counter values from the show services application-identification counter command output.

    Action

    From operational mode, enter the show services application-identification counter command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page