[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring Application Protocol Conditions
You can define application
protocols for the stateful firewall and NAT services to use in match
condition rules. An application protocol defines application parameters
by using information from network layer 3 and above. Examples of such
applications are FTP and H.323.
Use the following configuration statements to add
application protocol conditions to a classify-traffic condition:
- policies group name list name rule name traffic-condition name application-protocol-condition name {
- protocol protocol ;
- application-protocol application-protocol ;
- idle-timeout idle-timeout ;
- dce-rpc-uuid dce-rpc-uuid ;
- rpc-program-number rpc-program-number ;
- snmp-command snmp-command ;
- ttl-threshold ttl-threshold ;
- }
- policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr {
- icmp-type icmp-type ;
- icmp-code icmp-code ;
- }
- policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr destination-port port
{
- from-port from-port ;
- }
- policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr source-port port {
- from-port from-port ;
- }
To add application protocol conditions
to a classify-traffic condition:
- From configuration mode, enter the application protocol
configuration. In this procedure, apc is the name of the application
protocol condition. For example:
- user@host# edit policies group junos list
staticnat rule nat traffic-condition ctc application-protocol-condition apc
- (Optional) Configure the network protocol to match.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set protocol protocol
- (Optional) Configure the application protocol to match.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set application-protocol application-protocol
- (Optional) Configure the length of time the application
is inactive before it times out.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set idle-timeout idle-timeout
- (Optional) For the DCE RPC application protocol, configure
the universal unique identifier (UUID).
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set dce-rpc-uuid dce-rpc-uuid
- (Optional) For the remote procedure call (RPC) application
protocol, configure an RPC program number.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set rpc-program-number rpc-program-number
- (Optional) Configure the SNMP command for packet matching.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set snmp-command snmp-command
- (Optional) For the traceroute application protocol, configure
the traceroute time-to-live (TTL) threshold value. This value sets
the acceptable level of network penetration for trace routing.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# set ttl-threshold ttl-threshold
- (Optional) Enter configuration mode for the protocol attribute.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc]
- user@host# edit proto-attr
- (Optional) For the ICMP protocol, configure the ICMP packet
type.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr]
- user@host# set icmp-type icmp-type
- (Optional) For the ICMP protocol, configure the ICMP code.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr]
- user@host# set icmp-code icmp-code
- (Optional) Enter the destination port configuration.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr]
- user@host# edit destination-port port
- (Optional) Configure the TCP or UDP destination port.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr destination-port
port]
- user@host# set from-port from-port
- (Optional) Enter the source port configuration.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr destination-port
port]
- user@host# up
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr]
- user@host# edit source-port port
- (Optional) Configure the TCP or UDP source port.
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr source-port port]
- user@host# set from-port from-port
- [edit policies group junos list staticnat rule nat traffic-condition
ctc application-protocol-condition apc proto-attr source-port port]
- user@host# up
- [edit policies group junos list staticnat
rule nat traffic-condition ctc application-protocol-condition apc
proto-attr]
- user@host# up
- (Optional) Verify the application protocol condition configuration.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]
user@host# show
protocol ip;
application-protocol dce_rpc;
idle-timeout 900;
dce-rpc-uuid dce_rpc;
snmp-command get;
ttl-threshold 25;
proto-attr {
icmp-type icmpType;
icmp-code icmpCode;
destination-port {
port {
from-port 11..655;
}
}
source-port {
port {
from-port service_port;
}
}
}
Related Topics
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
