On SRX platforms, there are two different types of application services that can be used in security policies:
-
Default (predefined) Junos applications: Applications that start with junos-xxxxx
-
Custom applications that we manually create to expand our security policies and to use services otherwise not available within the default Junos OS set
When custom applications are created, the inactivity timeout can be specified. For predefined applications, timeouts are predefined for various services.
This article explains how to check application timeouts for default Junos OS applications on SRX devices.
The only way to actually see timeouts for default (predefined) applications is to extract this information directly from the flowd process. On SRX branch devices, this information is taken from the FWDD process. On SRX high-end devices, you need to connect and get this information from the SPU (security processing unit) level.
Commands that are used for this purpose are:
SRX Branch (SRX1xx, SRX2xx, SRX6xx):
On SRX Branch platforms, there are two ways to send commands to FWDD:
-
Log in as either the root user or a user member of the super-user class and use the following CLI command to obtain this information:
root@SRX_1> request pfe execute target fwdd command "show usp app-def tcp"
SENT: Ukern command: show usp app-def tcp
GOT:
GOT: tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
GOT: tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
GOT: tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800 .......
-
Log in as the root user, go to FreeBSD shell, and use the vty command to send instructions to FWDD:
root@SRX_1> start shell user root
root@SRX_1% vty -c "show usp app-def tcp" fwdd
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
-
Log in as either the root user or a user member of the super-user class and use the following CLI command to obtain this information:
root@SRX_1> request pfe execute target fwdd command "show usp app-def udp"
SENT: Ukern command: show usp app-def udp
GOT:
GOT: udp port=0, appl_name=junos-udp-any, service type=0, alg id=0, timeout=60
GOT: udp port=7, appl_name=junos-echo, service type=0, alg id=0, timeout=60
GOT: udp port=9, appl_name=junos-discard, service type=19, alg id=0, timeout=60
GOT: udp port=19, appl_name=junos-chargen, service type=18, alg id=0, timeout=60
GOT: udp port=53, appl_name=junos-dns-udp, service type=16, alg id=16, timeout=60
GOT: udp port=67, appl_name=junos-dhcp-server, service type=28, alg id=0, timeout=60
GOT: udp port=68, appl_name=junos-dhcp-client, service type=28, alg id=0, timeout=60
SRX High End platforms (SRX1K, SRX3K, SRX5K)
On SRX High End devices, there are several ways to send the same command towards one or multiple SPUs. For all predefined applications and all custom-created applications, the configuration is pushed towards all SPUs. This means that the application timeout information can be retrieved from any SPU in the chassis, by sending the show usp app-def command to the SPU.
Before continuing with various ways to get the application timeouts, you need to determine the SPU name of the SPU, to which the command will be sent.
SPU names:
{primary:node0}
root@SRX1> show chassis fpc pic-status
node0:
--------------------------------------------------------------------------
Slot 1 Online SRX5k DPC 4X 10GE
PIC 0 Online 1x 10GE(LAN/WAN) RichQ
PIC 1 Online 1x 10GE(LAN/WAN) RichQ
PIC 2 Online 1x 10GE(LAN/WAN) RichQ
PIC 3 Online 1x 10GE(LAN/WAN) RichQ
Slot 3 Online SRX5k DPC 40x 1GE
PIC 0 Online 10x 1GE RichQ
PIC 1 Online 10x 1GE RichQ
PIC 2 Online 10x 1GE RichQ
PIC 3 Online 10x 1GE RichQ
Slot 5 Online SRX5k SPC
PIC 0 Online SPU Cp-Flow
PIC 1 Online SPU Flow
.......
In this example, this is a node0 chassis cluster. There is an SPC card in slot 5 and this SPC has 2 SPUs; PIC 0 and PIC1. For this, the SPU names can be derived as node0.fpc5.pic0 and node0.fpc5.pic1.
These SPU names can also be found with the following FreeBSD shell command (as root user):
{primary:node0}
root@SRX1> start shell user root
root@SRX1% tnpdump | grep pic
node0.fpc5.pic0 0x1100115 02:00:00:01:01:15 em0 1500 2 0 3
node0.fpc5.pic1 0x1100215 02:00:00:01:02:15 em0 1500 2 0 3
If the chassis cluster is not used, SPU names will lose the node0/node1 prefixes; that is, the SPU names would be fpc5.pic0 and fpc5.pic1.
To obtain the application timeout information for default applications on SRX high end devices:
- Log in as either the
root user or a user member of the super-user class and use the following CLI command to obtain this information:
root@SRX1> request pfe execute target tnp tnp-name <SPU name> command "show usp app-def tcp"
For example:
root@SRX1> request pfe execute target tnp tnp-name node0.fpc5.pic0 command "show usp app-def tcp"
SENT: Ukern command: show usp app-def tcp
GOT:
GOT: tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
GOT: tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
GOT: tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
GOT: tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
... etc ...
-
Log in as the root user, go to the FreeBSD shell, and use the following command to send the request to a single SPU:
root@SRX1> start shell user root
root@SRX1% cprod -A <SPU name> -c "show usp app-def tcp"
For example:
root@SRX1% cprod -A node0.fpc5.pic0 -c "show usp app-def tcp" tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800 tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800 tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800 tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
-
On devices that run Junos OS 10.1 or later, FreeBSD contains a shell script command that can help to send various commands to multiple SPUs (or other components), without having to identify their names. This is convenient for quickly executing commands on multiple SPUs at the same time.
To use this script, log in as the root user, go to FreeBSD, and run the following commands:
root@SRX1> start shell user root
root@SRX1% srx-cprod.sh -s spu -c "show usp app-def tcp" < This is the ID of the SPU that is currently processing the command. As no particular SPU was specified, this command will be executed on each SPU in sequential order.
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800
tcp port=43, appl_name=junos-whois, service type=46, alg id=0, timeout=1800
The timeout value being displayed is the application timeout in seconds.