Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure a custom signature to block specific URLs using application firewall (AppFW)

0

0
Article ID: KB31293 KB Last Updated: 02 Oct 2020Version: 3.0 Summary:

Beginning with Junos 15.1X49-D40, Application identification (AppID) supports user-defined custom application signatures and signature groups. See Configuring Junos OS Application Identification Custom Application Signatures.

Since AppID had a major update in Junos 12.1X47 (also called AppID 2.0), custom application signature had been unsupported. See TSB16704 - AppID Major Update.

This article provides an example on how to configure and verify AppFW using a custom application signature.

Solution:

Topology

Goal

To block HTTP clients from accessing ‘http://abc123.com’ using application firewall (AppFW) with a custom application signature.
 

Prerequisite

An AppID license is required to configure the custom AppID signature. Verify the license is installed in SRX with the command, ‘show system license’.

root> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  appid-sig                             0            1           0    2017-11-24 00:00:00 UTC

For information about AppID license, refer to Understanding the Junos OS Application Package Installation.


Configuration

  1. Define custom signature

    Example: Create 'custom-http'
     
    set services application-identification application custom-http over HTTP signature s1 member m01 context http-header-host
    set services application-identification application custom-http over HTTP signature s1 member m01 pattern ".*abc123.*"
    set services application-identification application custom-http over HTTP signature s1 member m01     direction client-to-server

    Notes:
    - Regular expressions can be used to define patterns. For example, pattern ".*abc123.*" will match "abc123.com" or "www.abc123.net" etc.
    - The pattern should not start with "*". For example, patter "*.abc123.*" will either fail in commit. In some combinations, even if commit succeeds, they will be looked as actual characters and not wildcard. Refer to the KB link below for more details on supported patterns.
    - The Context http-header-host (see configuration above) checks the string in "Host" in the http get command (see picture below).
    - For troubleshooting, if SRX does not block the URL in spite of the custom signature being configured, collect the packet capture and check that the string written in pattern is included in "Host".
     

  2. Create application firewall

    Example: Configure application firewall to deny traffic to "abc123.com".
     
    set security application-firewall rule-sets block rule r1 match dynamic-application custom-http
    set security application-firewall rule-sets block rule r1 then deny
    set security application-firewall rule-sets block default-rule permit

  3. Apply application firewall to security policy

    set security policies from-zone trust to-zone untrust policy tr-un match source-address any
    set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
    set security policies from-zone trust to-zone untrust policy tr-un match application any
    set security policies from-zone trust to-zone untrust policy tr-un then permit application-services application-firewall rule-set block
    set security policies from-zone trust to-zone untrust policy tr-un then log session-close
     

Verification

When SRX detects the pattern in http get command, the counter ‘Number of sessions matched’ in ‘show security application-firewall rule-set all’ will increase. 
root> show security application-firewall rule-set all
Rule-set: block
    Rule: r1
        Dynamic Applications: custom-http
        SSL-Encryption: any
        Action:deny
        Number of sessions matched: 21     <<<
        Number of sessions redirected: 0
Default rule:permit
        Number of sessions matched: 314
        Number of sessions redirected: 0
Number of sessions with appid pending: 0

If ‘then log session-close’ is configured in the security policy when the session was denied by this application firewall, the following close log will be displayed in syslog:
 
RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed application failure or action: 192.168.50.1/53028->172.27.117.198/80 0x0 junos-http 172.27.117.197/32622->172.27.117.198/80 0x0 source rule R1 N/A N/A 6 tr-un trust untrust 432924 3(533) 1(52) 1 HTTP CUSTOM-HTTP N/A(N/A) ge-0/0/2.0 No
Modification History:
2020-10-01: Added an additional note on supported patterns and added a related link.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search