Configuring Application Protocol Properties
To configure application properties, include the application statement at the [edit applications] hierarchy level:
You can group application objects by configuring the application-set statement; for more information, see Configuring Application Sets.
This section includes the following tasks for configuring applications:
- Configuring an Application Protocol
- Configuring the Network Protocol
- Configuring the ICMP Code and Type
- Configuring Source and Destination Ports
- Configuring the Inactivity Timeout Period
- Configuring an SNMP Command for Packet Matching
- Configuring an RPC Program Number
- Configuring the TTL Threshold
- Configuring a Universal Unique Identifier
Configuring an Application Protocol
The application-protocol statement allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. To configure application protocols, include the application-protocol statement at the [edit applications application application-name] hierarchy level:
Table 1 shows the list of supported protocols. For more information about specific protocols, see ALG Descriptions.
Table 1: Application Protocols Supported by Services Interfaces
Protocol Name | CLI Value | Comments |
|---|---|---|
Distributed Computing Environment (DCE) remote procedure call (RPC) | dce-rpc | Requires the protocol statement to have the value udp or tcp. Requires a uuid value. You cannot specify destination-port or source-port values. |
DCE RPC portmap | dce-rpc-portmap | Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. |
Domain Name System (DNS) | dns | Requires the protocol statement to have the value udp. This application protocol closes the DNS flow as soon as the DNS response is received. |
FTP | ftp | Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. |
PPTP | pptp | Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. |
RPC User Datagram Protocol (UDP) or TCP | rpc | Requires the protocol statement to have the value udp or tcp. Requires a rpc-program-number value. You cannot specify destination-port or source-port values. |
RPC port mapping | rpc-portmap | Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. |
Real-Time Streaming Protocol (RTSP) | rtsp | Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. |
SQLNet | sqlnet | Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port or source-port value. |
Talk | talk | Requires the protocol statement to have the value tcp or udp. Requires a destination-port value. |
UNIX Remote Shell | shell | Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. |
Configuring the Network Protocol
The protocol statement allows you to specify which of the supported network protocols to match in an application definition. To configure network protocols, include the protocol statement at the [edit applications application application-name] hierarchy level:
You specify the protocol type as a numeric value; for the more commonly used protocols, text names are also supported in the command-line interface (CLI). Table 2 shows the list of the supported protocols.
Table 2: Network Protocols Supported by Services Interfaces
Network Protocol Type | CLI Value | Comments |
|---|---|---|
IP Security (IPsec) authentication header (AH) | ah | – |
External Gateway Protocol (EGP) | egp | – |
IPsec Encapsulating Security Payload (ESP) | esp | – |
Generic routing encapsulation (GR) | gre | – |
ICMP | icmp | Requires an application-protocol value of icmp. |
Internet Group Management Protocol (IGMP) | igmp | – |
IP in IP | ipip | – |
OSPF | ospf | – |
Protocol Independent Multicast (PIM) | pim | – |
Resource Reservation Protocol (RSVP) | rsvp | – |
TCP | tcp | Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. |
UDP | udp | Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. |
Virtual Router Redundancy Protocol (VRRP) | vrrp | – |
For a complete list of possible numeric values, see RFC 1700, Assigned Numbers (for the Internet Protocol Suite).
 | Note: IP version 6 (IPv6) is not supported as a network protocol in application definitions. By default, the twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages. You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations. |
Configuring the ICMP Code and Type
The ICMP code and type provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ICMP settings, include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level:
You can include only one ICMP code and type value. The application-protocol statement must have the value icmp. Table 3 shows the list of supported ICMP values.
Table 3: ICMP Codes and Types Supported by Services Interfaces
CLI Statement | Description |
|---|---|
icmp-code | This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the
associated icmp-type value, you must specify icmp-type along with icmp-code. For more information, see the Junos OS Policy Framework Configuration Guide In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5) |
icmp-type | Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being
used on the port. For more information, see the Junos OS Policy Framework Configuration Guide In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3). |
| Note: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an ICMP error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction. Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service. |
Configuring Source and Destination Ports
The TCP or UDP source and destination port provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ports, include the destination-port and source-port statements at the [edit applications application application-name] hierarchy level:
You must define one source or destination port. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port; for constraints, see Table 1.
You can specify either a numeric value or one of the text synonyms listed in Table 4.
Table 4: Port Names Supported by Services Interfaces
Port Name | Corresponding Port Number |
|---|---|
afs | 1483 |
bgp | 179 |
biff | 512 |
bootpc | 68 |
bootps | 67 |
cmd | 514 |
cvspserver | 2401 |
dhcp | 67 |
domain | 53 |
eklogin | 2105 |
ekshell | 2106 |
exec | 512 |
finger | 79 |
ftp | 21 |
ftp-data | 20 |
http | 80 |
https | 443 |
ident | 113 |
imap | 143 |
kerberos-sec | 88 |
klogin | 543 |
kpasswd | 761 |
krb-prop | 754 |
krbupdate | 760 |
kshell | 544 |
ldap | 389 |
login | 513 |
mobileip-agent | 434 |
mobilip-mn | 435 |
msdp | 639 |
netbios-dgm | 138 |
netbios-ns | 137 |
netbios-ssn | 139 |
nfsd | 2049 |
nntp | 119 |
ntalk | 518 |
ntp | 123 |
pop3 | 110 |
pptp | 1723 |
printer | 515 |
radacct | 1813 |
radius | 1812 |
rip | 520 |
rkinit | 2108 |
smtp | 25 |
snmp | 161 |
snmptrap | 162 |
snpp | 444 |
socks | 1080 |
ssh | 22 |
sunrpc | 111 |
syslog | 514 |
tacacs-ds | 65 |
talk | 517 |
telnet | 23 |
tftp | 69 |
timed | 525 |
who | 513 |
xdmcp | 177 |
zephyr-clt | 2103 |
zephyr-hm | 2104 |
For more information about matching criteria, see the Junos OS Policy Framework Configuration Guide 
.
Configuring the Inactivity Timeout Period
You can specify a timeout period for application inactivity. If the software has not detected any activity during the duration, the flow becomes invalid when the timer expires. To configure a timeout period, include the inactivity-timeout statement at the [edit applications application application-name] hierarchy level:
The default value is 30 seconds. The value you configure for an application overrides any global value configured at the [edit interfaces interface-name service-options] hierarchy level.
Configuring an SNMP Command for Packet Matching
You can specify an SNMP command setting for packet matching. To configure SNMP, include the snmp-command statement at the [edit applications application application-name] hierarchy level:
The supported values are get, get-next, set, and trap. You can configure only one value for matching. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value snmp. For information about specifying the application protocol, see Configuring an Application Protocol.
Configuring an RPC Program Number
You can specify an RPC program number for packet matching. To configure an RPC program number, include the rpc-program-number statement at the [edit applications application application-name] hierarchy level:
The range of values used for DCE or RPC is from 100,000 through 400,000. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value rpc. For information about specifying the application protocol, see Configuring an Application Protocol.
Configuring the TTL Threshold
You can specify a trace route time-to-live (TTL) threshold value, which controls the acceptable level of network penetration for trace routing. To configure a TTL value, include the ttl-threshold statement at the [edit applications application application-name] hierarchy level:
The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value traceroute. For information about specifying the application protocol, see Configuring an Application Protocol.
Configuring a Universal Unique Identifier
You can specify a Universal Unique Identifier (UUID) for DCE RPC objects. To configure a UUID value, include the uuid statement at the [edit applications application application-name] hierarchy level:
The uuid value is in hexadecimal notation. The application-protocol statement at the [edit applications application application-name hierarchy level must have the value dce-rpc. For information about specifying the application protocol, see Configuring an Application Protocol. For more information on UUID numbers, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.
