Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Applications and Application Sets for IDP Policies

Applications or services represent Application Layer protocols that define how data is structured as it travels across the network.

For more information, see the following topics:

Understanding IDP Application Sets

Applications or services represent Application Layer protocols that define how data is structured as it travels across the network. Because the services you support on your network are the same services that attackers must use to attack your network, you can specify which services are supported by the destination IP to make your rules more efficient. Juniper Networks provides predefined applications and application sets that are based on industry-standard applications. If you need to add applications that are not included in the predefined applications, you can create custom applications or modify predefined applications to suit your needs.

You specify an application, or service, to indicate that a policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making them difficult to manage. Junos OS allows you to create groups of applications called application set.

Application sets simplify the process by allowing you to manage a small number of application sets, rather than a large number of individual application entries.

The application (or application set) is configured as a match criterion for packets. Packets must be of the application type specified in the policy for the policy to apply to the packet. If the packet matches the application type specified by the policy and all other criteria match, then the policy action is applied to the packet. You can use predefined or custom applications and refer to them in a policy.

Example: Configuring IDP Applications Sets

This example shows how to create an application set and associate it with an IDP policy.

Requirements

Before you begin:

Overview

To configure an application set, you add predefined or custom applications separately to an application set and assign a meaningful name to the application set. Once you name the application set you specify the name as part of the policy. For this policy to apply on a packet, the packet must match any one of the applications included in this set.

This example describes how to create an application set called SrvAccessAppSet and associate it with IDP policy ABC. The application set SrvAccessAppSet combines three applications. Instead of specifying three applications in the policy rule, you specify one application set. If all of the other criteria match, any one of the applications in the application set serves as valid matching criteria.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application set and associate it with an IDP policy:

  1. Create an application set and include three applications in the set.

  2. Create an IDP policy.

  3. Associate the application set with an IDP policy.

  4. Specify an action for the policy.

  5. Activate the policy.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Purpose

Verify that the application set was associated with the IDP policy.

Action

From operational mode, enter the show security idp status command.

Example: Configuring IDP Applications and Services

This example shows how to create an application and associate it with an IDP policy.

Requirements

Before you begin:

  • Configure network interfaces.

  • Enable IDP application services in a security policy.

Overview

To create custom applications, specify a meaningful name for an application and associate parameters with it—for example, inactivity timeout, or application protocol type. In this example, you create a special FTP application called cust-app, specify it as a match condition in the IDP policy ABC running on port 78, and specify the inactivity timeout value as 6000 seconds.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application and associate it with an IDP policy:

  1. Create an application and specify its properties.

  2. Specify the application as a match condition in a policy.

  3. Specify the no action condition.

  4. Activate the policy.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Purpose

Verify that the application was associated with the IDP policy.

Action

From operational mode, enter the show security idp status command.