Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Enable Application Visibility (SRX Only)

Follow these steps to enable application-aware security services.

The Juniper Networks Application Security (AppSecure) feature is a suite of application-aware security services for the Juniper Networks® SRX Series Firewalls. AppSecure enables you to see the applications on your network and learn how they work. It enables you to observe their behavioral characteristics and assess their relative risk, which allows the Juniper Mist™ cloud to track and report applications passing through the device.

Before You Begin

Consult this list to ensure that you have the licenses and application signatures necessary to enable application visibility.

  • You need a valid AppSecure license on your SRX Series Firewall to use the feature. Use the show system license command to check if your device has the license. For details about license requirements and installation, see Juniper Licensing User Guide.

  • We recommend using the latest version of application signatures. To install the latest version of application signatures, run the following commands on your device:

    1. Download the application signature package version on your device. The command downloads the latest version of the package.

    2. Install the application signature package version on your device.

    3. Verify the application signature package version installed on your device.

    For more details, see Predefined Application Signatures for Application Identification.

    You can see the application signature version in the Juniper Mist cloud portal of your device under the SECURITY SERVICES panel.

    Figure 1: Check Application Security (AppSecure) Version Check Application Security (AppSecure) Version

Enable Application Visibility During Device Adoption

If you're onboarding new devices, you can enable application visibility as part of the normal device adoption workflow. This option is available in the site assignment settings.

To enable application visibility while assigning a device to a site:

  1. From the left menu, click Organization > Admin> Inventory.
  2. Click the WAN Edges button at the top of the Inventory page.
  3. Click the Adopt WAN Edges button the top-right corner of the page.
    Figure 2: WAN Edge Adoption Commands WAN Edge Adoption Commands

    Juniper Mist generates a code snippet in the WAN Edge Adoption window.

  4. Ensure that you've selected the SRX option, and click Copy to Clipboard.
  5. Close the pop-up window.
  6. Go to the CLI for your SRX Series Firewall, enter configuration mode, paste the code, and commit the configuration.

    This code creates the following settings on your SRX Series Firewall:

    • Enable SSH.

    • Create a Juniper Mist cloud user.

    • Create a device ID and credentials.

    • Set up the outbound SSH client and associated timers.

    After you commit the configuration on your SRX Series Firewall, the device appears on the Inventory page in the Juniper Mist portal.

  7. On the Inventory page, select the check box for the newly added SRX Series Firewall, then click More at the top of the page, and then click Assign to Site.
  8. In the Assign Gateways pop-up window, enter these settings:
    1. Select the site.
    2. To manage the configuration in Juniper Mist, select the Manage configuration check box.
    3. Select the appropriate option to describe your AppTrack license.

      • Device has an App Track license—Application visibility is already enabled on the device.

      • Device does NOT have an App Track license—The device does not have application security license.

      • Use site setting for App Track license—Enable application visibility under site setting options.

    4. Click Assign to Site.
  9. For a device-based license or no license—Complete these additional steps if you selected Device has an App Track license or Device does NOT have an App Track license in the gateways assignment window.
    1. On the Inventory page, click your newly assigned SRX.
    2. On the device details page, scroll down to the Application Visibility section.
    3. Select the same license option that you selected in the site assignment window: Device has an App Track license or Device does NOT have an App Track license.
    4. Click Save at the top right corner of the device details page.
  10. For a site-based license—Complete these additional steps if you selected Use site setting for App Track license in the gateway assignment window.
    1. From the left menu, select Organization > Admin > Site Configuration.
    2. Select the site that you assigned to the newly added SRX device.
    3. Scroll down to the WAN Edge Advanced Security section.
    4. To enable application visibility, select the check box for My SRX devices have an App Track license.
    5. In the Log Source Interface box, enter the IP address of the interface to use as the source address for log messages.
      This interface needs connectivity to the cloud or Internet. It acts as the source address for log messages for the application session records.
    6. Save the site configuration.
You can verify API messages of /sites/site-id/setting to see the following options, depending on whether you selected or unselected My SRX devices have an App Track License:

    • The “gateway_mgmt“: {“app_usage“: True} message indicates that the check box is selected.

    • The “gateway_mgmt“: {“app_usage“: False} message indicates that the check box is not selected.

    Example:

Note:

The gateway_mgmt section appears only if you used the site settings option when enabling application visibility.

Enable Application Visibility After Initial Onboarding

Use this procedure if you want to enable application visibility on devices that you previously adopted into your organization and assigned to a site.

To enable application visibility on an SRX Series Firewall that you already assigned to a site:

  1. From the left menu, select Organization > Admin > Site Configuration.
  2. Select the site.
  3. Scroll down to the WAN Edge Advanced Security section.
  4. To enable application visibility, select the box for My SRX devices have an App Track license.
  5. For Log Source Interface, enter the IP address of an interface on SRX Series Firewall that has connectivity to the cloud or Internet.
    This interface acts as the source address for log messages for the application session records.
  6. Click Save.
To view the applications details, click Monitor > Service Levels. Click the Insights tab, and then scroll down to the Applications section to get details about applications usage.