Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configure Application Identification in Juniper Security Director Cloud to Manage Web Applications

As an administrator, you can control user access to external websites and web applications to ensure full control and visibility. Within the applications, you can further restrict user activities to prevent any uploading actions that could consume excessive bandwidth or violate compliance regulations. Use this configuration example to configure application identification (AppID) in Juniper Security Director Cloud.

Juniper Networks® AppSecure is a suite of application-aware security services for Juniper Networks® SRX Series Firewalls. These services deliver security measures to provide visibility and control over the types of applications in a network. AppSecure uses a classification engine to accurately identify applications regardless of port or protocol, including nested applications that reside within trusted network services.

Application identification, a service of AppSecure, recognizes traffic at different network layers using characteristics other than port number. The service uses protocol bundles containing application signatures and information parsed from packets to identify applications.

Benefits of Application Identification

  • Wide monitoring coverage—Provides granular control over applications, including video streaming, peer-to-peer communication, social networking, and messaging. AppID also identifies services, port usage, underlying technology, and behavioral characteristics of applications. With this visibility, you can block evasive applications inline at the SRX Series Firewall.
  • Control over network traffic—Identifies applications and allows, blocks, or limits applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification. This identification helps organizations control the types of traffic allowed to enter and exit the network.

Application Identification Mapping Overview

Application signature mapping is a method used to accurately identify applications generating network traffic by analyzing the content at the application layer (Layer 7). This approach enables more precise security enforcement and traffic management. Applications are identified by using a downloadable protocol bundle.

Every packet in the flow passes through the AppID engine until the application is identified. Application bindings are saved in the application system cache (ASC) to expedite future identification. AppID uses signatures to identify applications based on protocol grammar analysis of the first few packets of a session. If the AppID engine can't identify the application, the engine waits for more packets to analyze.

  1. Traffic Detection—When a new traffic flow begins, the AppID engine monitors and captures the initial packets exchanged between the source and destination.

  2. Checking Application System Cache (ASC)—The AppID engine first checks the ASC to determine if there is an existing application binding for the flow. If a match is found, the application is immediately identified and mapped to that flow.

  3. Signature Analysis—If no match is found in the ASC, the system uses a protocol bundle containing known application signatures. It compares details from the initial packets’ payloads against this database to look for a match.

  4. Grammar and Protocol Inspection—The AppID engine analyzes the protocol grammar and additional packet contents, seeking more granular indicators of the application’s identity.

  5. Signature Matching—If a signature in the protocol bundle matches the captured packet data, the application is successfully identified and the mapping is recorded in the cache for future efficiency.

  6. Ongoing Packet Analysis (if no match)—If no signature match is found, the engine continues to inspect additional packets in the session, repeating the process for each until a match is determined or the flow is classified as unknown.

  7. Classification as Unknown—If, after processing several packets, the application cannot be identified, it is categorized as an unknown application and processes according to the security policy.

By following this sequence, application signature mapping provides an organized and systematic approach to identifying and managing application traffic with high accuracy and speed.

Application Identification in Juniper Security Director Cloud

Juniper® Security Director Cloud provides tools for managing application identification within enterprise networks. Juniper Security Director Cloud allows users to create, modify, clone, and delete application signatures and signature groups.

You can also add custom application signatures that are not included in Juniper Networks' predefined database. You can create these custom signatures based on parameters such as Internet Control Message Protocol (ICMP), IP protocol, IP address, and Layer 7 context values. This functionality helps you identify patterns in application traffic more precisely.

Topology for Configuring Application Identification in Juniper Security Director Cloud

This topology centralizes web application traffic management, enhancing network security. The figure shows how Juniper Security Director Cloud manages SRX Series Firewalls through the Internet. You can configure AppID profiles and security policies in Juniper Security Director Cloud which are then applied to the SRX Series Firewalls.

SRX Series Firewalls perform various tasks from Juniper Security Director Cloud. The firewalls inspect device traffic, identify Web applications, and enforce security policies such as allow, monitor, or block applications, and manage bandwidth.

Juniper Security Director Cloud also provides tools to monitor traffic, track policy enforcement, and adjust configurations based on activity and compliance needs.

Before You Begin

The following list describes the prerequisites to configuring AppID:

  1. Create your Juniper Security Director Cloud organization account. See Create Your Juniper Security Director Cloud Organization Account.

  2. Add your purchased device subscriptions to Juniper Security Director Cloud. See Add and Manage Subscriptions.

  3. Add your devices to Juniper Security Director Cloud. See Add Devices.

  4. Associate the devices with your purchased device subscriptions. See Device Subscriptions.

  5. Install the application signature security package. See Install Security Package.

  6. Enable automatic update of the application signature security package. See Enable Automatic Update of Security Package.

Application Identification Configuration

This configuration example describes the workflow for creating a security policy to allow access to all websites, updating the policy to restrict access to Facebook and YouTube, then configure packet capture of unknown application traffic packets to detect applications that do not match the application signature.

Step 1: Create a Security Policy to Allow Access to All Websites

In this step, you are creating a security policy that allows access to all web applications. In the next steps, you will update your security policy to restrict Facebook and YouTube.
  1. Click SRX > Security Policy > SRX Policy. The Security Policies page is displayed.
  2. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.). The Add Security Policy page is displayed.
  3. Complete the following configuration and click OK.

    • Namedemo-srx-blr-2

    • DescriptionDemo security policy on SRX Series Firewall in Bangalore

    • Rule placement analysis—Enable

    • All devices—Enable

  4. Add a security policy rule.
    1. Click SRX > Security Policy > SRX Policy. The Security Policies page is displayed.
    2. Click the demo-srx-blr-2 security policy to add the rule. The security policy page is displayed.
    3. Click +. The option to create a security policy rule is displayed inline.
    4. Complete the following configuration and click the check mark ().

      • Nameallow-websites

      • DescriptionSecurity policy rule to allow access to all websites.

      • Sources—Trust

      • Destinations—Untrust

      • Applications—Any. You can also select a specific HTTP or HTTPS application signature.

      • Services—Any. You can also select a specific HTTP or HTTPS service.

      • Action—Permit

      • Session initiate logs—Select this option to enable logging of events when sessions are created.

      • Session close logs—Select this option to enable logging of events when sessions are closed. When logging is enabled, the system logs at session close time by default.

  5. Click Deploy. The Deploy page is displayed.
  6. Under Deployment Time options, select Run Now to deploy the policy immediately and click OK.

    A job is created. Click the job ID to go to the Jobs page and see the deployment status.

  7. Verify user access to all websites.
    1. Click Monitor > Logs > Session. The Session page is displayed.
    2. See the event logs and verify whether access to websites, such as Facebook and YouTube, is allowed.

      Select an event log generated by the demo-srx-blr security policy and click More > Details to see the event log details. This overlay provides the details of the event allowing a device user’s access to Facebook or YouTube.

You have now created and deployed a security policy that allows user access to all websites.

Step 2: Add a Security Policy Rule to Restrict Access to Facebook

  1. Click SRX > Security Policy > SRX Policy. The Security Policies page is displayed.
  2. Click the demo-srx-blr-2 security policy to add the rule. The demo-srx-blr-2 security policy page is displayed.
  3. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.). The Add Security Policy page is displayed.
  4. Complete the following configuration and click OK.

    • Nameblock-facebook

    • DescriptionSecurity policy rule to block access to Facebook.

    • Sources—Trust

    • Destinations—Untrust

    • Applications—FACEBOOK-ACCESS

    • Services—Any

    • Action—Redirect

      • Message—Select a message from the drop-down list of previously-used messages, or click Create redirect message and type a new message.

        URL—Select a redirect URL from the drop-down list of previously-used URLs, or click Add redirect URL and type a new redirect URL.

    • Session initiate logs—Select this option to enable logging of events when sessions are created.

    • Session close logs—Select this option to enable logging of events when sessions are closed. When logging is enabled, the system logs at session close time by default.

  5. Select the security policy rule, and click More > Move, and click Move up or Move down to place the policy rule above the allow-websites policy rule.
  6. Click Deploy. The Deploy page is displayed.
  7. Under Deployment Time options, select Run Now to deploy the policy immediately and click OK.

    A job is created. Click the job ID to go to the Jobs page and see the deployment status.

  8. Verify that access to Facebook is blocked .
    1. Click Monitor > Logs > All Security Events. The All Security Events page is displayed.
    2. See the event logs and verify whether access to Facebook is blocked.

      Select an event log generated by the demo-srx-blr security policy, and click More > Details to see the event log details. This overlay displays details of the event blocking a device user’s access to Facebook.

You have now created and deployed a security policy rule that blocks user access to Facebook. When you add the Facebook security policy rule above the allow-all security policy rule sequence, the Facebook security policy rule is implemented first.

Step 3: Update the Security Policy Rule to Restrict Access to YouTube

  1. Click SRX > Security Policy > SRX Policy. The Security Policies page is displayed.
  2. Click the demo-srx-blr-2 security policy to add the rule. The demo-srx-blr-2 security policy page is displayed.
  3. Select the block-facebook security policy rule and click the edit icon (). The Edit Security Policy page is displayed.
  4. Complete the following configuration and click OK.

    • Name—Update the name to block-facebook-youtube

    • Description—Update the description to Security policy rule to block access to Facebook and Youtube.

    • Applications—Add YOUTUBE

  5. Click Deploy. The Deploy page is displayed.
  6. Under Deployment Time options, select Run Now to deploy the policy immediately and click OK.

    A job is created. Click the job ID to go to the Jobs page and see the deployment status.

  7. Verify that user access to YouTube is blocked.
    1. Click Monitor > Logs > All Security Events. The All Security Events page is displayed.
    2. See the event logs and verify whether access to YouTube is blocked.

      Select an event log generated by the demo-srx-blr security policy, and click More > Details to see the event log details. This overlay displays the event blocking the device user’s access to YouTube.

You have now updated the Facebook security policy to block user access to YouTube.

Step 4: Verify Access is Blocked to Facebook and YouTube

Verify that the demo-srx-blr-2 security policy successfully blocks user access to Facebook and Youtube.
  1. Click Administration > Jobs. The Jobs page is displayed.
  2. Click the name of the job created after deploying the updated demo-srx-blr-2 security policy. The Job Status page is displayed.
  3. Click View Details to see the CLI configuration that blocks Facebook and YouTube.
You have now successfully created security policies and rules to block user access to Facebook and YouTube on the enterprise network.

Step 5: Configure Packet Capture for Unknown Application Traffic

You can use the packet capture of unknown applications feature to gather more details about an unknown application on your security device. Unknown application traffic is the traffic that does not match an application signature.

Use this feature to capture and analyse data packets of applications whose signatures cannot be identified and are marked as unknown applications in your enterprise network.

  1. Configure packet capture at a security policy level. In this example, you can see how to enable packet capture of unknown application traffic in the security policy P1. Use the options provided at the end of the example to refine your packet capture settings and capture packets tailored to your specific needs.

    • To enable packet capture of unknown application traffic at the security policy level, you must include junos:UNKNOWN as the dynamic-application match condition. If you don't include the condition, a warning is displayed—Warning: packet-capture action requires dynamic application junos:UNKNOWN in policy.

    • When you configure the P1 security policy, the system captures the packet details for the application traffic that meets the security policy match criteria.

    After you have configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture (.pcap) file.
  2. After you complete and commit the configuration, you can view the packet capture (.pcap) file. The system generates a unique packet capture file for each destination IP address, destination port, and protocol.
    1. Navigate to the /var/tmp directory where .pcap files are stored on the device.
    2. Locate the required .pcap file.

      A .pcap filename has the format destination-IP-address.destination-port.protocol. pcap—for example, 10.250.31.156_443_17.pcap.

    3. Download the .pcap file by using Security FTP (SFTP) or Secure Copy Protocol (SCP) and view the file with Wireshark or your preferred network analyzer.
Next, you can:

  • Use the packet capture of an unknown application to define a new custom application signature. You can use this custom application signature in a security policy to manage the application traffic more efficiently.

  • Send the .pcap file to Juniper Networks for analysis in cases where the traffic is incorrectly classified, or to submit a request to create an application signature.

Troubleshooting

Issues with detection of applications or applications blocked by the SRX Series Firewall

The applications might not be detected or blocked by the SRX Series Firewall because of various reasons.

To ensure that the device successfully detects applications and does not block required applications, check whether the following requirements are met and perform the suggested steps:

  • The correct application signature package is installed on the device.

  • A dynamic application is configured in the security policy rule.

  • No conflicting unified and standard security policies.

  • Verify the security flow session by using the command show security flow session

  • Check whether the device is dropping packets by using the command show security packet-drop records.

  • Capture packets with specific source and destination points for better troubleshooting.

  • Check whether the security policy is being implemented by using the command show security policies hit-count.

  • Check whether pre-ID default policy logging has been enabled.

  • Generate logs that track specific events for troubleshooting by using the following commands: