Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] How to create and use a custom application on SRX and J Series devices

0

0

Article ID: KB13365 KB Last Updated: 06 Mar 2017Version: 4.0
Summary:

This article provides the steps on how to a create a custom application and use that application in a security policy.

Symptoms:

Cause:

Solution:

There are three basic steps to creating a custom application and applying it to a security policy:

  1. Create address book entries for the source and destination addresses.
  2. Create the custom application if no pre-defined applications encompass the protocol or ports needed.
  3. Create a security policy to permit the traffic using the custom application. 
For this example we will configure a policy to permit a custom application using TCP port 1500 from "local-net" 192.168.10.0/24 to "remote-net" 192.168.20.0/24.

Create the address book entries for the source and destination addresses

From J-Web:
  1. Go to Configuration > Quick Configuration > Security Policies.
  2. To add an address book entry for each zone, click on Create Address Books.
  3. Click on the zone for which you would like to add an address book entry (example: zone trust).
  4. If address book entry required does not exist, then click Add...
  5. In the Address Name field specify a name (example: "local-net").  Note, the name must be a string beginning with a letter and consisting of letters, numbers, dashes and underscores.
  6. In IP Address/Prefix, enter the IP address/subnet mask (example: 192.168.10.0/24).
     or
    In DNS Name, specify a fully qualified domain name.  Note, the J Series or SRX Series device must have a working DNS server configured to resolve the domain name.
  7. Click OK
  8. Repeat steps 3-7 for zone untrust Address Book entry "remote-net". Click OK again to return to the Security Policies screen.
From CLI:
    set security zones security-zone trust address-book address local-net 192.168.10.0/24
    set security zones security-zone untrust address-book address remote-net 192.168.20.0/24

Creating a custom application

From J-Web:
  1. From Configuration > Quick Configuration > Security Policies screen, click on Applications / Application Sets.
  2. Select Custom-Applications tab.
  3. Click Add...
  4. Specify Application Name (example: tcp1500), then click (plus box) for Configure top level options.
  5. Click on Match IP protocol pull down and choose tcp.
  6. Enter 1500 in the freeform field for Destination port (not the pull down field).  Note, since the application can use any source port then it is not necessary to also specify source port for the application.
  7. Click OK.  Then click OK again to return to the Security Policies screen.
From CLI:
    set applications application tcp1500 protocol tcp
    set applications application tcp1500 destination-port 1500
Note that if allowing all applications to traverse the VPN then no custom application is needed since pre-defined application "any" already exists.  So for this example the above step is not necessary.


Creating a security policy to permit the traffic using the custom application

From J-Web:

  1. From Configuration > Quick Configuration > Security Policies screen, click Policies.
  2. In Zone Direction, select From Zone trust and To Zone untrust.
  3. Click Add a Policy.
  4. Specify Policy Name (example: "policy-tr-unt"), then click (plus box) for Match Criterias.
  5. Select Source Address Book "local-net" object on the right side and click (left arrow) to add to the Matched list.
  6. Select Destination Address Book "remote-net" object and click (left arrow) to add to the Matched list.
  7. Select Application "tcp1500" and click (left arrow) to add to the Matched list. 
  8. For Policy Action, select Permit from the pull down.
  9. Click OK to commit changes.  Then click OK again to return to main policy configuration screen.
From CLI:
    set security policies from-zone trust to-zone untrust policy policy-tr-unt match source-address local-net
    set security policies from-zone trust to-zone untrust policy policy-tr-unt match destination-address remote-net
    set security policies from-zone trust to-zone untrust policy policy-tr-unt match application tcp1500
    set security policies from-zone trust to-zone untrust policy policy-tr-unt then permit

note: The ordering of policies is important.  J Series or SRX Series devices will perform policy lookup from top to bottom until a match is found.  At that point no further policy lookup occurs.  Therefore if a deny all policy exists then be sure that the policy created is above the deny all policy.  If not then the policy will never be reached.  To re-arrange policy order, use the Move up or down option in the Security Policies screen in J-Web or the Insert command in CLI.  For more information, consult KB10120 - How to change the order of the policies on a J Series or SRX Series device, and why that is important?.

Examples:
Below are 2 custom applications created for TCP ports 5000 and 5001:

applications {
    application tcp_port_5000 {
        protocol tcp;
        destination-port 5000;
    }
    application tcp_port_5001 {
        protocol tcp;
        destination-port 5001;
    }
}


Then create a security policy to and from the desired security zones. Below we can see the custom application used:

[security policies]
from-zone inside to-zone outside {
    policy telnet_100 {
        match {
            source-address any;
            destination-address host_public;
            application tcp_port_5000;
        }
        then {
            permit
        }
    }
    policy telnet_101 {
        match {
            source-address any;
            destination-address host_public;
            application tcp_port_5001;
        }
        then {
            permit
        }
    }
}



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search