Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Application Protocol Conditions (SRC CLI)

    You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.

    Use the following configuration statements to add application protocol conditions to a classify-traffic condition:

    policies group name list name rule name traffic-condition name application-protocol-condition name {protocol protocol ; application-protocol application-protocol ; idle-timeout idle-timeout ; dce-rpc-uuid dce-rpc-uuid ; rpc-program-number rpc-program-number ; snmp-command snmp-command ; ttl-threshold ttl-threshold ; }
    policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr {icmp-type icmp-type ; icmp-code icmp-code ; }
    policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr destination-port port {from-port from-port ; }
    policies group name list name rule name traffic-condition name application-protocol-condition name proto-attr source-port port {from-port from-port ; }

    To add application protocol conditions to a classify-traffic condition:

    1. From configuration mode, enter the application protocol configuration. In this procedure, apc is the name of the application protocol condition. For example:
      user@host# edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc
    2. (Optional) Configure the network protocol to match.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set protocol protocol
    3. (Optional) Configure the application protocol to match.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set application-protocol application-protocol
    4. (Optional) Configure the length of time the application is inactive before it times out.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set idle-timeout idle-timeout
    5. (Optional) For the DCE RPC application protocol, configure the universal unique identifier (UUID).
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set dce-rpc-uuid dce-rpc-uuid
    6. (Optional) For the remote procedure call (RPC) application protocol, configure an RPC program number.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set rpc-program-number rpc-program-number
    7. (Optional) Configure the SNMP command for packet matching.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set snmp-command snmp-command
    8. (Optional) For the traceroute application protocol, configure the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# set ttl-threshold ttl-threshold
    9. (Optional) Enter configuration mode for the protocol attribute.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host# edit proto-attr
    10. (Optional) For the ICMP protocol, configure the ICMP packet type.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host# set icmp-type icmp-type
    11. (Optional) For the ICMP protocol, configure the ICMP code.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host# set icmp-code icmp-code
    12. (Optional) Enter the destination port configuration.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host# edit destination-port port
    13. (Optional) Configure the TCP or UDP destination port.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr destination-port port]user@host# set from-port from-port
    14. (Optional) Enter the source port configuration.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr destination-port port]user@host# up [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host# edit source-port port
    15. (Optional) Configure the TCP or UDP source port.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr source-port port]user@host# set from-port from-port [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr source-port port]user@host# up [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host# up
    16. (Optional) Verify the application protocol condition configuration.
      [edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]
      user@host# show 
      protocol ip;
      application-protocol dce_rpc;
      idle-timeout 900;
      dce-rpc-uuid dce_rpc;
      snmp-command get;
      ttl-threshold 25;
      proto-attr {
        icmp-type icmpType;
        icmp-code icmpCode;
        destination-port {
          port {
            from-port 11..655;
          }
        }
        source-port {
          port {
            from-port service_port;
          }
        }
      }

    Published: 2014-12-10