Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Applications and Application Sets

Applications are predefined or custom-defined entities that represent specific types of network traffic or services. Application sets are collections of applications grouped for easier management and policy creation. You can create an application set that includes multiple related applications and then apply policies to the entire set.

Applications or services correspond to Application layer protocols that define how communication occurs between networked systems, specifying how data is structured, formatted and processed at the application level as it travels across the network.

In the context of IDP policies, applications and application sets see the following:

  • Applications—These are predefined or custom-defined entities that represent specific types of network traffic or services. An application in this context can be anything from a web service (like HTTP or HTTPS), an email protocol (like SMTP), a file transfer service (like FTP), or any other type of network application. Each application has a set of characteristics that allow the IDP system to identify and monitor the traffic associated with that application.
  • Application Sets—These are collections of applications grouped together for easier management and policy creation. Instead of defining policies for individual applications, you can create an application set that includes multiple related applications and then apply policies to the entire set. This is particularly useful for simplifying the management of security policies when dealing with a large number of applications.

IDP Application Sets

The services you support on your network are the same services that attackers use to attack your network, you can specify which services are supported by the destination IP to make your rules more efficient. Juniper Networks provides predefined applications and application sets that are based on industry-standard applications. If you need to add applications that are not included in the predefined applications, you can create custom applications or modify predefined applications to suit your needs.

You specify an application, or service, to indicate that a policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making them difficult to manage. Junos OS allows you to create groups of applications called application set. Application sets simplify the process by allowing you to manage a small number of application sets, rather than a large number of individual application entries.

The application (or application set) is configured as a match criterion for packets. Packets must be of the application type specified in the policy for the policy to apply to the packet. If the packet matches the application type specified by the policy and all other criteria match, then the policy action is applied to the packet. You can use predefined or custom applications and refer to them in a policy.

Example: Configure IDP Applications Sets

This example shows how to create an application set and associate it with an IDP policy.

Requirements

Before you begin:

Overview

To configure an application set, you add predefined or custom applications separately to an application set and assign a meaningful name to the application set. Once you name the application set you specify the name as part of the policy. The policy applies to a packet only if the packet matches any one of the applications included in the set.

This example describes how to create an application set called SrvAccessAppSet and associate it with IDP policy ABC. The application set SrvAccessAppSet combines three applications. Instead of specifying three applications in the policy rule, you specify one application set. If all of the other criteria match, any one of the applications in the application set serves as valid matching criteria.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application set and associate it with an IDP policy:

  1. Create an application set and include three applications in the set.

  2. Create an IDP policy.

  3. Associate the application set with an IDP policy.

  4. Specify an action for the policy.

  5. Activate the policy.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verify the Configuration

Purpose

Verify that the application set was associated with the IDP policy.

Action

From operational mode, enter the show security idp status command.

Example: Configure IDP Applications and Services

This example shows how to create an application and associate it with an IDP policy.

Requirements

Before you begin:

  • Configure network interfaces.

  • Enable IDP application services in a security policy.

Overview

To create custom applications, specify a meaningful name for an application and associate parameters with it—for example, inactivity timeout, or application protocol type. In this example, you create a special FTP application called cust-app, specify it as a match condition in the IDP policy ABC running on port 78, and specify the inactivity timeout value as 6000 seconds.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application and associate it with an IDP policy:

  1. Create an application and specify its properties.

  2. Specify the application as a match condition in a policy.

  3. Specify the no action condition.

  4. Activate the policy.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verify the Configuration

Purpose

Verify that the application was associated with the IDP policy.

Action

From operational mode, enter the show security idp status command.