Add Application Signatures
You can add custom application signatures for applications that are not included in Juniper Networks predefined application database. When you add custom application signatures, make sure that your application signatures are unique, by providing a unique and relevant name.
To create a custom application signature:
- Select Shared Services > Objects > Applications.
-
Click Create > Signature.
The Create Application Signature page appears.
- Complete the configuration according to the guidelines provided in Table 1.
-
Click OK to save the changes. If you want to discard your
changes, click Cancel instead.
A new application signature with your configurations is created.
Table 1 provides guidelines on using the fields on the Create Application Signature page.
Table 1: Fields on the Create Application Signature Page Field
Description
Name
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description
Enter a description for the application signature; maximum length is 255 characters.
Signature Order and Priority
Order
Enter the order for the custom application signature in the range between 1 and 50000. A lower order value has higher priority. This option is used when multiple custom application signatures of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications.
Note:Application order must be unique for each application.
Priority
Specify the application signature priority (high or low) over other application signatures.
Signature Classification
Category
Enter the category of the application signature. For example, Messaging, Web, Infrastructure, Remote-Access, Multimedia, and so on.
Sub Category
Enter the subcategory of the application signature. For example, Wiki, File-Sharing, Multimedia, Social-Networking, News, and so on.
Risk
Select the level of risk associated with the application signature. For example, Low, Moderate, High, Critical, and Unsafe.
Characteristics
Enter one or more characteristics of the application signature. For example, supports file transfer, loss of productivity, and so on.
Application Criteria
Enable one or more application matching criteria:
-
ICMP Mapping
-
IP Protocol Mapping
-
Address Mapping
-
L7 Signature
ICMP Mapping
Click the toggle button to specify the Internet Control Message Protocol (ICMP) value for an application while configuring custom application signatures for application identification.
The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. The ICMP code and type provide additional specification, for packet matching in an application definition.
ICMP Type
Enter an ICMP value for the application. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name.
Range is 0-254.
ICMP Code
Enter an ICMP code for the application. The field provides further information (such as RFCs) about the ICMP type field.
Range is 0-254.
IP Protocol Mapping
Click the toggle button to specify the IP protocol value for an application. This parameter is used to identify an application based on it's IP protocol value and is intended only for IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.
IP Protocol
Enter an IP Protocol number for the application. Standard IP protocol numbers map an application to IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers.
Range is 0-254.
You can find a complete list of industry standard protocol numbers at the IANA website.
Note:You cannot use IP protocol numbers 1(ICMP), 6(TCP ) and 17(UDP) for custom application signature creation. Instead, we recommend you to use L7 signature policies for these protocols.
Address Mapping
Click the toggle button to specify address mapping information. Layer 3 and Layer 4 address mapping defines an application by matching the destination IP address or port range (optional) of the traffic. Use the address mapping option to configure custom applications signatures when the configuration of your private network predicts application traffic to or from trusted servers.
Address mapping provides efficiency and accuracy while handling traffic from a known application. For more information, see Table 2.
Note:-
You must specify either IP address or TCP/UDP port range for address mapping.
-
If both IP address and TCP/UDP ports are configured, both should match destination tuples (IP address and port range) of the packet.
L7 Signature
Click the toggle button to specify the Layer 7-based custom application signatures that are required to identify the multiple applications running on the same L7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol. For more information, see Table 3.
Cacheable
Click the toggle button to enable caching of application identification results on the device.
Enable this option to True only when L7 signatures are configured alone in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures.
Table 2: Fields on the Add IP Address Mapping Page Field
Description
Name
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
IP Address
Enter the destination IPv4 or IPv6 address of the application.
CIDR
Enter a CIDR value for the IP Address that you assign to the application.
Range for IPv4 address is 1-32.
Range for IPv6 address is 1-128.
TCP Port range
(Optional) Enter space-separated list of ports or port ranges to match a TCP destination port for Layer 3 and Layer 4 address-based custom applications.
The range is 0-65535.
Example: 80-82 443.
UDP port range
(Optional) Enter space-separated list of ports or port ranges ranges to match an UDP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535.
Example: 160-162 260.
Table 3: Fields on the Add Signature Page Field
Description
Over Protocol
Displays the signature to match the application protocol.
Example: HTTP.
Signature Name
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Port Range
Enter the port range for the application.
Range is 0-65535
Example: 80-82 443
Add Members
Click the plus icon (+) to add the member details.
Member No.
Displays the member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01—m15.)
Context
Select the service-specific context.
-
For L7 Signatures over HTTP, select any of the following context:
-
http-get-url-parsed-param-parsed
-
http-header-content-type
-
http-header-cookie
-
http-header-host
-
http-header-user-agent
-
http-post-url-parsed-param-parsed
-
http-post-variable-parsed
-
http-url-parsed
-
http-url-parsed-param-parsed
-
-
For L7 Signatures over SSL, select the service-specific context as ssl-server-name.
-
For L7 Signatures over TCP, select the service-specific context as stream.
-
For L7 Signatures over UDP, select the service-specific context as stream.
For possible combinations of context and direction for L7 application creation, refer context (Application Identification).
Direction
Select the direction of the packet flow to which the signature must be matched.
-
any—The direction of packet flow can either be from client-side to server-side or from server-side to client-side.
-
client-to-server—The direction of packet flow is from client-side to server-side.
-
server-to-client—The direction of packet flow is from server-side to client-side.
Pattern
Enter the deterministic finite automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128.
-