Install Application Signatures Package

Upgrade to Next-Generation Application Identification

Security devices installed with Junos OS builds with legacy application identification include legacy application identification security packages. When you upgrade these devices with more recent releases, the next-generation application identification security package is installed along with the default protocol bundle. The device is automatically upgraded to next-generation application identification.

Note the following about next-generation application identification security package:

• The next-generation application identification security package introduces incremental updates to the legacy application identification package. You are not required to remove or uninstall any existing applications.

• Applications from earlier Junos OS versions may have new aliases in later versions. Existing configurations will still function, but logs and related information will reflect the updated names. Use the show services application-identification application detail new-application-name command to get the details of the applications.

• When you upgrade Junos OS, you can include the validate or no-validate options with the request system software add command. Because the existing features, which are not part of next-generation application identification, are deprecated, incompatibility issues are not seen.

• Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as normal applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored with warning messages.

Configuration

• Step-by-Step Procedure
• Step-by-Step Procedure

Downloading and Installing the Application Identification Package

• Step-by-Step Procedure
• Step-by-Step Procedure

Purpose

After successful download and installation of the application package, use the following commands to view the predefined application signature package content.

Action

• View the current version of the application package:

• View the current status of the application package:

Automatic Rollback

In case of application signature package installation failure, the system automatically rolls back to the previous version of the application signature package that is currently installed on your security device.

When you download and install the application signature package on a device operating in chassis cluster mode, if the installation fails on a node, the system rolls back to the previous version of the application signature. The device displays a minor alarm on the same node where installation fails and rollback succeeds.

Example:

Check application signature package rollback status when installation failed and the rollback completes successfully.

Manual Rollback

You can manually rollback the application signature package to the previous installed version using the following steps:

1. Rollback the application signature package to the previous version.

2. Check the rollback status.

Note the following for manual rollback of an application signature package:

• Once you rollback application signature package version manually from version Y to version X, the scheduled auto-update of an application signature package is skipped until a new version Z, which is higher than the version Y, is available.

• You can download and install application signatures through intrusion detection and prevention (IDP) security packages. In this case, if AppID installation fails during the IDP install, AppID rolls back to the previous version and IDP installation continues with the requested version. In such cases, IDP and AppID might have different versions.

• Application signature package installation does not proceed if there is any corruption, deletion, or modification of downloaded signature package files. In such cases, the following message is displayed:

• When your security device does not include any previous version application signature package and you attempt to rollback application signature package, the device displays the following error message:

Migration of New Applications to Normal Applications:

The junos:all-new-apps group contains a set of all new applications in the installed application signature pack on your security device compared to previously installed signature pack. If you decide to install a newer version of the application signature package, that version will contain a new set of applications in the junos:all-new-apps group.

You can chose to migrate the new applications to normal applications in your existing application signature package. This migration will help you to consistently maintain rules in security policy which are created specific to the new applications whenever you upgrade to newer application signature versions in future.

You can use the following new commands to move the applications tagged as new applications to normal applications:

• To migrate only specified new applications as normal application, use the following command:

• To migrate all new applications as normal applications, use the following command:

After you run these commands, application will no longer be tagged as new and will not be part of the junos:all-new-apps group.

Application Signatures Package Enhancements

We've introduced the following enhancements to the application signature package:

• Support for FTP data context propagation
• Skipping of deep packet inspection (DPI) for the sessions offloaded by advanced policy-based routing (APBR) on application system cache (ASC) hit. (When only APBR service is enabled.)
• Forceful installation of the application signature pack over the same version of signature pack. See request services application identification install ignore duplicate version check
• Display of the application signature pack release date in the CLI command output. See show services application-identification version
• Display of the list of deprecated application signatures available in the installed signature pack in the CLI command output. See show services application identification application obsolete applications

Application Signature Package Installation Failure

During application signature package installation, if an error occurs, or the process unexpectedly crashes, the installation automatically stops and reverts to the previously installed version.

The system displays the following error messages when you try to check download status of the faulty application signature package:

• With specified the application signature package version:
• With out specified application signature package version:

The system displays following messages when you check application signature installation status:

• When application package installation is completed and being validated for any defects:

• When trying to install application signature package which is marked as faulty:

• When the installed application signature package is detected as faulty:

You can see the details of the failed version using the following command:

For scheduled the automatic update of application signature package: While installation is in-progress, and if the installation package has any issues, the system rolls back the application signature package to the previous version. During the next auto update, the system does not continue with the problematic signature package for download and installation.

Auto Rollback Enhancement

The auto rollback feature now enables the system to revert to a previously working version of the application signature package. Additionally, it retains the previously designated rollback version in the event of any issues during application signature package installation

For example, if your device currently has application signature package version Y, and you’ve set the rollback version as X, here’s what happens during an installation attempt:

• You try to install the new version Z.
• If any issues arise during installation or if version Z fails to install, the system automatically reverts back to the current version Y.
• The previously designated rollback version X remains unchanged.

In this way, the system ensures a smooth transition by reverting to a known working version if needed.

Application Signature Package Installation on a Chassis Cluster Setup

When using a chassis cluster setup, the system first installs the application signature package on the primary node and checks for any issues or problems.

Application signature package installation starts immediately on the primary node. During installation, the secondary node waits for the primary node to complete the validation of the installation package. If the validation is successful, then the system proceeds to install the same package on the secondary node, otherwise, it skips the installation.

You can check the installation status using the following command:

If the installation fails on the primary node, then rollback happens only on the primary node. Similarly if the installation fails on the secondary node, then rollback is triggered on secondary node only.

When the installation fails, system displays following messages:

Primary Node

Secondary Node

When a node changes from primary state to the secondary state while installation is in-progress on the primary node, then the system displays the following message:

Primary Node

Secondary Node

If the primary system can not update the secondary node within time (approximately 35 minutes) due to unexpected issues, the installation process on the secondary system will be canceled.

Once the primary node completes the installation and validation, the system initiates the installation on the secondary node. In case change in the primary and secondary roles due to a failover, then the previous-secondary node (now primary) continues to install the signature package.

Installation Status to the Signature Package Server

Application signature engine sends the status to the signature package server for installation success or failure. During application signature package installation, if errors are found in the package, installation stops and reverts to the previous active version and status is sent to the server. If multiple devices report a faulty application signature package, the server analyzes this data, marks the package as invalid, and prevents future downloads.

Marking a signature package as invalid is available only for the major signature package.

The signature package marked as invalid will not be available for future downloads only by CLI. Download and installation by Security Director and offline downloads display error message informing that the requested application package is not available for download.

Major and Minor Signature Package

Now we support two types of signature packages are available for the updates:

• Major updates include IDP signatures, IDP detector, and application identification protobundle.
• Minor updates include regular signature updates.

Let’s understand the difference in major and minor updates with an example:

• The signature package version with protocol bundle released has version 3585. This is a major update. All minor signature packages post 3585 contain this updated protocol bundle until we have next major signature package update.
• The next release of package includes IDP detector and has version 3598. This is again a major update. All minor signature packages post 3598 contain this updated detector until we have next major update.

If your firewall is having major signature pack version 3598 and if you attempt to download minor version such as 3588 using manual download method or automatic download, then the download fails with the following error message:

Downloading Minor-Only Signature Package

You can download an application signature package that is marked as minor. The default behavior does not check for major or minor version.

To set automatic download of the minor signature package:

Specifying minor-only in the command downloads the minor version of the signature package.

To download minor signature package:

Specifying minor-only in the command downloads the minor version of the signature package.

Check the available signature package versions:

The command displays all the available versions of the application signature package.

Check the available signature package versions:

The command displays all the latest version of the major application signature package.

View the version of your signature package:

The command displays application signature package version installed on your device in Application package version field.

Check the version of the signature package from the Juniper Networks security website.

The command displays the latest version of both major and minor application signature packages, which are available on Juniper Networks security website.

Downgrading Application Signature Package Version

You can downgrade your application signature package version by specifying the signature package version. Use the following steps to downgrade:

1. Check the available signature package versions using the show services application-identification recent-appid-sigpack-versions command.

2. Run the command to download the required version:

Offline Application Identification (AppID) Update

Offline Application Identification (AppID) Update and associated features significantly enhance the manageability and serviceability of network systems, particularly in environments with limited connectivity.

The offline AppID update feature allows you to update the signature package from a local tar file using the following CLI command:

When you enter this command, the system uncompresses the signature package and places the extracted files in the proper locations on the device.

Example:

1. Copy or download the offline application package from the URL: https://support.juniper.net/support/downloads/?p=282
2. Enter the command to extract signature package:
3. Check the status of offline download of signature package:

   The system displays the following error message when the package path is not correct:

4. Use the request services application-identification install command to install the signature package on the device.

The operation concludes with a system log message indicating whether the update was successful or if it encountered any errors, providing immediate feedback for troubleshooting. Example of syslog messages:

• The APPIDD_APPPACK_OFFLINE_DOWNLOAD_RESULT: AppID sigpack offline download : Complete confirms a successful update.
• The APPIDD_APPPACK_OFFLINE_DOWNLOAD_RESULT: AppID sigpack offline download : Failed with error (AppID offline download package </var/tmp/...> does not exist) indicates a failure along with a specific error message

This feature is particularly useful in the environments with limited or no Internet connectivity, such as remote locations or secure facilities.

Syslog Message for Deprecated Applications

You can now manage deprecated applications and application groups. After performing a signature pack update, a system log message lists deprecated applications, helping you identify and manage outdated applications that might impact your security policies.

When handling deprecated applications, the system log message APPIDD_DEPRECATED_APPLIST: Obsolete apps: app1, app2, app3, app4... lists outdated applications, enabling you to take appropriate actions.

List Deprecated Application Groups

You can list all the deprecated application groups using the following command:

The command allows you to list deprecated application groups, ensuring these groups do not interfere with device configuration and preventing commit failures due to hidden deprecated groups.

You can use the following system log message to view deprecated application groups: