Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to check application timeout for default Junos applications on SRX devices

0

0

Article ID: KB21344 KB Last Updated: 23 Apr 2020Version: 5.0
Summary:

On SRX platforms, there are two different types of application services that can be used in security policies:

  • Default (predefined) Junos applications: Applications that start with junos-xxxxx

  • Custom applications that we manually create to expand our security policies and to use services otherwise not available within the default Junos OS set

When custom applications are created, the inactivity timeout can be specified. For predefined applications, timeouts are predefined for various services.

This article explains how to check application timeouts for default Junos OS applications on SRX devices.

 

Symptoms:
  • Currently there is no native CLI command, which will show individual timeout for each predefined application.

  • For custom applications, the timeout is kept within the configuration itself.

  • But for predefined applications, the timeouts are hard-coded and kept on the forwarding plane.

 

Solution:

The only way to actually see timeouts for default (predefined) applications is to extract this information directly from the flowd process. On SRX branch devices, this information is taken from the FWDD process. On SRX high-end devices, you need to connect and get this information from the SPU (security processing unit) level.

Commands that are used for this purpose are:

  • show usp app-def tcp: For TCP applications

  • show usp app-def udp: For UDP applications

SRX Branch (SRX1xx, SRX2xx, SRX6xx):

On SRX Branch platforms, there are two ways to send commands to FWDD:

  1. Log in as either the root user or a user member of the super-user class and use the following CLI command to obtain this information:

root@SRX_1> request pfe execute target fwdd command "show usp app-def tcp"
SENT: Ukern command: show usp app-def tcp
GOT:
GOT: tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
GOT: tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
GOT: tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800 .......
  1. Log in as the root user, go to FreeBSD shell, and use the vty command to send instructions to FWDD:

root@SRX_1> start shell user root 
root@SRX_1% vty -c "show usp app-def tcp" fwdd
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
  1. Log in as either the root user or a user member of the super-user class and use the following CLI command to obtain this information:

root@SRX_1> request pfe execute target fwdd command "show usp app-def udp"
SENT: Ukern command: show usp app-def udp
GOT:
GOT: udp port=0, appl_name=junos-udp-any, service type=0, alg id=0, timeout=60
GOT: udp port=7, appl_name=junos-echo, service type=0, alg id=0, timeout=60
GOT: udp port=9, appl_name=junos-discard, service type=19, alg id=0, timeout=60
GOT: udp port=19, appl_name=junos-chargen, service type=18, alg id=0, timeout=60
GOT: udp port=53, appl_name=junos-dns-udp, service type=16, alg id=16, timeout=60
GOT: udp port=67, appl_name=junos-dhcp-server, service type=28, alg id=0, timeout=60
GOT: udp port=68, appl_name=junos-dhcp-client, service type=28, alg id=0, timeout=60

SRX High End platforms (SRX1K, SRX3K, SRX5K)

On SRX High End devices, there are several ways to send the same command towards one or multiple SPUs. For all predefined applications and all custom-created applications, the configuration is pushed towards all SPUs. This means that the application timeout information can be retrieved from any SPU in the chassis, by sending the show usp app-def command to the SPU. 

Before continuing with various ways to get the application timeouts, you need to determine the SPU name of the SPU, to which the command will be sent.

SPU names:

{primary:node0}
root@SRX1> show chassis fpc pic-status
node0:
--------------------------------------------------------------------------
Slot 1 Online SRX5k DPC 4X 10GE
PIC 0 Online 1x 10GE(LAN/WAN) RichQ
PIC 1 Online 1x 10GE(LAN/WAN) RichQ
PIC 2 Online 1x 10GE(LAN/WAN) RichQ
PIC 3 Online 1x 10GE(LAN/WAN) RichQ
Slot 3 Online SRX5k DPC 40x 1GE
PIC 0 Online 10x 1GE RichQ
PIC 1 Online 10x 1GE RichQ
PIC 2 Online 10x 1GE RichQ
PIC 3 Online 10x 1GE RichQ
Slot 5 Online SRX5k SPC
PIC 0 Online SPU Cp-Flow
PIC 1 Online SPU Flow
.......

In this example, this is a node0 chassis cluster. There is an SPC card in slot 5 and this SPC has 2 SPUs; PIC 0 and PIC1. For this, the SPU names can be derived as node0.fpc5.pic0 and node0.fpc5.pic1.

These SPU names can also be found with the following FreeBSD shell command (as root user):

{primary:node0}
root@SRX1> start shell user root 
root@SRX1% tnpdump | grep pic
node0.fpc5.pic0 0x1100115 02:00:00:01:01:15 em0 1500 2 0 3
node0.fpc5.pic1 0x1100215 02:00:00:01:02:15 em0 1500 2 0 3

If the chassis cluster is not used, SPU names will lose the node0/node1 prefixes; that is, the SPU names would be fpc5.pic0 and fpc5.pic1.

To obtain the application timeout information for default applications on SRX high end devices:

  1. Log in as either the root user or a user member of the super-user class and use the following CLI command to obtain this information:
root@SRX1> request pfe execute target tnp tnp-name <SPU name> command "show usp app-def tcp"

For example:

root@SRX1> request pfe execute target tnp tnp-name node0.fpc5.pic0 command "show usp app-def tcp"
SENT: Ukern command: show usp app-def tcp
GOT:
GOT: tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
GOT: tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
GOT: tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
GOT: tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
... etc ... 
  1. Log in as the root user, go to the FreeBSD shell, and use the following command to send the request to a single SPU:

root@SRX1> start shell user root
root@SRX1% cprod -A <SPU name> -c "show usp app-def tcp"

For example:

root@SRX1% cprod -A node0.fpc5.pic0 -c "show usp app-def tcp" tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800 tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800 tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800 tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800 
  1. On devices that run Junos OS 10.1 or later, FreeBSD contains a shell script command that can help to send various commands to multiple SPUs (or other components), without having to identify their names. This is convenient for quickly executing commands on multiple SPUs at the same time.

To use this script, log in as the root user, go to FreeBSD, and run the following commands:

root@SRX1> start shell user root
root@SRX1% srx-cprod.sh -s spu -c "show usp app-def tcp" < This is the ID of the SPU that is currently processing the command. As no particular SPU was specified, this command will be executed on each SPU in sequential order.
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800
tcp port=43, appl_name=junos-whois, service type=46, alg id=0, timeout=1800

The timeout value being displayed is the application timeout in seconds.

 

Modification History:

2020-04-23: Article reviewed for accuracy; no changes required; article still relevant and valid

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search