Custom Policy Applications
Custom policy application is an alternate feature for predefined policy applications. If you do not want to use predefined policy applications in your policy, you can create custom applications. Junos OS allows you to configure custom applications for your policy.
Understanding Custom Policy Applications
If you do not want to use predefined applications in your policy, you can easily create custom applications.
You can assign each custom application the following attributes:
Name
Transport protocol
Source and destination port numbers for applications using TCP or UDP
Type and code values for applications using ICMP
Timeout value
Custom Application Mappings
The application option specifies the Layer 7 application that maps to the Layer 4 application that you reference in a policy. A predefined application already has a mapping to a Layer 7 application. However, for custom applications, you must link the application to a policy explicitly, especially if you want the policy to apply an Application Layer Gateway (ALG) or deep inspection to the custom application.
Junos OS supports ALGs for numerous applications, including DNS, FTP, H.323, HTTP, RSH, SIP, Telnet, and TFTP.
Applying an ALG to a custom application involves the following two steps:
Define a custom application with a name, timeout value, transport protocol, and source and destination ports.
When configuring a policy, reference that application and the application type for the ALG that you want to apply.
Example: Adding and Modifying Custom Policy Applications
This example shows how to add and modify custom policy applications.
Requirements
Before you begin, create addresses and security zones. See Example: Creating Security Zones.
Overview
In this example, you create a custom application using the following information:
A name for the application:
cust-telnet.A range of source port numbers:
1through65535.A destination port number: 23000.
The protocol used by the application: TCP.
Once the custom application cust-telnet is
created the following information is modified:
The protocol used by the application is modified to : TCP.
A range of source port numbers:
1through51100.A destination port number: 11000.
Configuration
Procedure
Step-by-Step Procedure
The following example requires you to navigate through various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To add and modify a custom policy application:
Configure TCP and specify the source port and destination port.
[edit applications application cust-telnet] user@host# set protocol tcp source-port 65535 destination-port 23000
Specify the length of time that the application is inactive.
[edit applications application cust-telnet] user@host# set inactivity-timeout 1800
Modify the custom policy application
cust-telnet:Delete the source and destination ports configured for TCP.
Configure UDP and specify the source port and destination port.
Specify the length of time that UDP is inactive.
[edit] user@host# delete applications application cust-telnet source-port user@host# delete applications application cust-telnet destination-port user@host# set applications application cust-telnet protocol udp source-port 51100 destination-port 11000 user@host# set inactivity-timeout 1500
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
Verifying The Modified Custom Policy Application
Purpose
To verify if the custom policy application has been modified successfully.
Action
From operational mode, enter the show applications
application cust-telnet command to display
the details of the custom policy application - cust-telnet.
user@host> show applications application cust-telnet
protocol udp;
source-port 51100;
destination-port 11000;
inactivity-timeout 1500;The timeout value is in seconds. If you do not set it,
the timeout value of a custom application is 1800 seconds. If you
do not want an application to time out, type never.
Meaning
The output displays information about the cust-telnet application. Verify the following information:
Configured policy name.
Source and destination ports.
Length of time (in seconds) that the application is inactive.
Example: Configuring Custom Policy Application Term Options
This example shows how to configure applications properties and term options for application protocols.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall
A PC
Before you begin:
Configure the required applications. See Example: Adding and Modifying Custom Policy Applications .
Overview
In this example, you create an application name, app-name, and a term called custom-options to define your custom policy application term options.
You configure Domain Name Service (DNS) as the Application Layer Gateway (ALG) type and UDP as the networking protocol type. You set the source port to 24000 and the destination port to 23000. Then you set the Internet Control Message Protocol (ICMP) packet type value to 5 and the ICMP code value to 0. You set the remote procedure call (RPC) program number value to 50 and the Universal Unique Identifier (UUID) value to 1be617c0-31a5-11cf-a7d8-00805f48a135. Finally, you set the inactivity-timeout value to 60.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
user@host# set applications application app-name term custom-options user@host# set applications application app-name term custom-options alg dns user@host#set applications application app-name term custom-options protocol udp user@host#set applications application app-name term custom-options source-port 24000 user@host#set applications application app-name term custom-options destination-port 23000 user@host#set applications application app-name term custom-options inactivity-timeout 60
Step-by-Step Procedure
To configure custom policy application term options:
Configure the term name.
[edit applications] user@host# set application app-name term custom-options
Configure the ALG type.
[edit applications] user@host# set application app-name term custom-options alg dns
Configure the networking protocol type.
[edit applications] user@host# set application app-name term custom-options protocol udp
Configure the source port number.
[edit applications] user@host#set application app-name term custom-options source-port 24000
Configure the TCP or UDP destination port number.
[edit applications] user@host# set application app-name term custom-options destination-port 23000
Specify the inactivity timeout value.
[edit applications] user@host# set application app-name term custom-options inactivity-timeout 60
Results
From configuration mode, confirm your configuration
by entering the show applications command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show applications
application app-name {
term custom-options alg dns protocol udp source-port 24000 inactivity-timeout 60;
}
If you are done configuring the device, enter commit from configuration mode.