Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Custom Policy Applications

Custom policy application is an alternate feature for predefined policy applications. If you do not want to use predefined policy applications in your policy, you can create custom applications. Junos OS allows you to configure custom applications for your policy.

Understanding Custom Policy Applications

If you do not want to use predefined applications in your policy, you can easily create custom applications.

You can assign each custom application the following attributes:

  • Name

  • Transport protocol

  • Source and destination port numbers for applications using TCP or UDP

  • Type and code values for applications using ICMP

  • Timeout value

Custom Application Mappings

The application option specifies the Layer 7 application that maps to the Layer 4 application that you reference in a policy. A predefined application already has a mapping to a Layer 7 application. However, for custom applications, you must link the application to a policy explicitly, especially if you want the policy to apply an Application Layer Gateway (ALG) or deep inspection to the custom application.

Note:

Junos OS supports ALGs for numerous applications, including DNS, FTP, H.323, HTTP, RSH, SIP, Telnet, and TFTP.

Applying an ALG to a custom application involves the following two steps:

  • Define a custom application with a name, timeout value, transport protocol, and source and destination ports.

  • When configuring a policy, reference that application and the application type for the ALG that you want to apply.

Example: Adding and Modifying Custom Policy Applications

This example shows how to add and modify custom policy applications.

Requirements

Before you begin, create addresses and security zones. See Example: Creating Security Zones.

Overview

In this example, you create a custom application using the following information:

  • A name for the application: cust-telnet.

  • A range of source port numbers: 1 through 65535.

  • A destination port number: 23000.

  • The protocol used by the application: TCP.

Once the custom application cust-telnet is created the following information is modified:

  • The protocol used by the application is modified to : TCP.

  • A range of source port numbers: 1 through 51100.

  • A destination port number: 11000.

Configuration

Procedure

Step-by-Step Procedure

The following example requires you to navigate through various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To add and modify a custom policy application:

  1. Configure TCP and specify the source port and destination port.

  2. Specify the length of time that the application is inactive.

  3. Modify the custom policy application cust-telnet :

    • Delete the source and destination ports configured for TCP.

    • Configure UDP and specify the source port and destination port.

    • Specify the length of time that UDP is inactive.

  4. If you are done configuring the device, commit the configuration.

Verification

Verifying The Modified Custom Policy Application

Purpose

To verify if the custom policy application has been modified successfully.

Action

From operational mode, enter the show applications application cust-telnet command to display the details of the custom policy application - cust-telnet.

Note:

The timeout value is in seconds. If you do not set it, the timeout value of a custom application is 1800 seconds. If you do not want an application to time out, type never.

Meaning

The output displays information about the cust-telnet application. Verify the following information:

  • Configured policy name.

  • Source and destination ports.

  • Length of time (in seconds) that the application is inactive.

Example: Configuring Custom Policy Application Term Options

This example shows how to configure applications properties and term options for application protocols.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device

  • A PC

Before you begin:

Overview

In this example, you create an application name, app-name, and a term called custom-options to define your custom policy application term options.

You configure Domain Name Service (DNS) as the Application Layer Gateway (ALG) type and UDP as the networking protocol type. You set the source port to 24000 and the destination port to 23000. Then you set the Internet Control Message Protocol (ICMP) packet type value to 5 and the ICMP code value to 0. You set the remote procedure call (RPC) program number value to 50 and the Universal Unique Identifier (UUID) value to 1be617c0-31a5-11cf-a7d8-00805f48a135. Finally, you set the inactivity-timeout value to 60.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure custom policy application term options:

  1. Configure the term name.

  2. Configure the ALG type.

  3. Configure the networking protocol type.

  4. Configure the source port number.

  5. Configure the TCP or UDP destination port number.

  6. Specify the application type value.

  7. Specify the application code value.

  8. Specify the RPC program number.

  9. Specify the UUID value.

  10. Specify the inactivity timeout value.

Results

From configuration mode, confirm your configuration by entering the show applications command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify that the configuration is correct.

Action

From operational mode, enter the show applications command.