Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding Application Signatures

You can add custom application signatures for applications that are not part of the Juniper Networks predefined application database. When you add custom application signatures, make sure that your application signatures are unique, by providing a unique and relevant name.

You can add custom application signatures by specifying a name, protocol, port number where the application runs, and match criteria.

To create a custom application signature:

  1. Select Configuration > Shared Objects > Application Signatures.
  2. Click Create > Signature.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.

A new application signature with your configurations is created. You use this application signature while creating SD-WAN policy and firewall policy intents.

Table 1 provides guidelines on using the fields on the Create Application Signature page.

Table 1: Fields on the Create Application Signature Page

Field

Description

Name

Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Description

Enter a description for the application signature.

Signature Order and Priority  

Order

Enter the order for the custom application signature. A lower order value has higher priority. This option is used when multiple custom application signatures of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications.

Range is 1-50000.

Priority

Specify the application signature priority (high or low) over other application signatures.

Signature Classification  

Category

Enter the category of the application signature. For example, Messaging, Web, Infrastructure, Remote-Access, Multimedia, and so on.

Sub Category

Enter the subcategory of the application signature. For example, Wiki, File-Sharing, Multimedia, Social-Networking, News, and so on.

Risk

Select the level of risk associated with the application signature. For example, low, moderate, high, critical, unsafe, and so on.

Characteristics

Enter one or more characteristics of the application signature. For example, supports file transfer, loss of productivity, and so on.

Application Criteria

Enable one or more application matching criteria:

  • ICMP Mapping

  • IP Protocol Mapping

  • Address Mapping

  • L7 Signature

ICMP Mapping

Click the toggle button to specify the Internet Control Message Protocol (ICMP) value for an application while configuring custom application signatures for application identification.

The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. The ICMP code and type provide additional specification, for packet matching in an application definition.

ICMP Type

Enter an ICMP value for the application. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name.

Range is 0-254.

ICMP Code

Enter an ICMP code for the application. The field provides further information (such as RFCs) about the ICMP type field.

Range is 0-254.

IP Protocol Mapping

Click the toggle button to specify the IP protocol value for an application. This parameter is used to identify an application based on it’s IP protocol value and is intended only for IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.

IP Protocol

Enter an IP Protocol number for the application. Standard IP protocol numbers map an application to IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.

Range is 0-254.

You can find a complete list of industry standard protocol numbers at the IANA website.

Note:

You cannot use IP protocol numbers 1(ICMP), 6(TCP ) and 17(UDP) for custom application signature creation. Instead, we recommend you to use L7 signature policies for these protocols.

Address Mapping

Click the toggle button to specify address mapping information. Layer 3 and Layer 4 address mapping defines an application by matching the destination IP address or port range (optional) of the traffic. Use the address mapping option to configure custom applications signatures when the configuration of your private network predicts application traffic to or from trusted servers.

Address mapping provides efficiency and accuracy while handling traffic from a known application. For more information, see Table 2.

Note:
  • You must specify either IP address or TCP/UDP port range for address mapping.

  • If both IP address and TCP/UDP ports are configured, both should match destination tuples (IP address and port range) of the packet.

L7 Signature

Click the toggle button to specify the Layer 7-based custom application signatures that are required to identify the multiple applications running on the same L7 protocols. Configure a custom signature based on L7 applications. You create Layer 7-based custom application signatures for the identification of multiple applications running on the same L7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol. For more information, see Table 3.

Cacheable

Click the toggle button to enable caching of application identification results on the device.

Enable this option to True only when L7 signatures are configured alone in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures.

Table 2: Fields on the Add IP Address Mapping Page

Field

Description

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

IP Address

Enter the destination IPv4 or IPv6 address of the application.

CIDR

Enter a CIDR value for the IP Address that you assign to the application.

Range for IPv4 address is 1-32.

Range for IPv6 address is 1-128.

TCP Port range

(Optional) Enter space-separated list of ports or port ranges to match a TCP destination port for Layer 3 and Layer 4 address-based custom applications.

The range is 0-65535.

Example: 80-82 443.

UDP port range

(Optional) Enter space-separated list of ports or port ranges ranges to match an UDP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535.

Example: 160-162 260.

Table 3: Fields on the Add Signature Page

Field

Description

Over Protocol

Displays the signature to match the application protocol.

Example: HTTP.

Signature Name

Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Port Range

Enter the port range for the application.

Range is 0-65535

Example: 80-82,443

Add Members

Click the plus icon (+) to add the member details.

Member No.

Enter the member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01—m15.)

Context

Select the service-specific context.

  • For L7 Signatures over HTTP, select any of the following context:

    • http-get-url-parsed-param-parsed

    • http-header-content-type

    • http-header-cookie

    • http-header-host

    • http-header-user-agent

    • http-post-url-parsed-param-parsed

    • http-post-variable-parsed

    • http-url-parsed

    • http-url-parsed-param-parsed

  • For L7 Signatures over SSL, select the service-specific context as ssl-server-name.

  • For L7 Signatures over TCP, select the service-specific context as stream.

  • For L7 Signatures over UDP, select the service-specific context as stream.

For possible combinations of context and direction for L7 application creation, refer context (Application Identification).

Direction

Select the direction of the packet flow to which the signature must be matched.

  • any—The direction of packet flow can either be from client-side to server-side or from server-side to client-side.

  • client-to-server—The direction of packet flow is from client-side to server-side.

  • server-to-client—The direction of packet flow is from server-side to client-side.

Pattern

Enter the deterministic finite automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128.