Knowledge Search


×
 

[SRX] How to configure a custom signature to block specific URLs using application firewall (AppFW)

  [KB31293] Show Article Properties


Summary:

Beginning with Junos 15.1X49-D40, Application identification (AppID) supports user-defined custom application signatures and signature groups. See Configuring Junos OS Application Identification Custom Application Signatures.

Since AppID had a major update in Junos 12.1X47 (also called AppID 2.0), custom application signature had been unsupported. See TSB16704 - AppID Major Update.

This article provides an example on how to configure and verify AppFW using a custom application signature.

Solution:

Topology

Goal

To block HTTP clients from accessing ‘http://abc123.com’ using application firewall (AppFW) with a custom application signature.

Prerequisite

An AppID license is required to configure the custom AppID signature. Verify the license is installed in SRX with the command, ‘show system license’.

root> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  appid-sig                             0            1           0    2017-11-24 00:00:00 UTC   

 

For information about AppID license, refer to Understanding the Junos OS Application Package Installation.


Configuration

  1. Define custom signature

    Example: Create 'custom-http'

    set services application-identification application custom-http over HTTP signature s1 member m01 context http-header-host
    set services application-identification application custom-http over HTTP signature s1 member m01 pattern ".*abc123.*"
    set services application-identification application custom-http over HTTP signature s1 member m01
    direction client-to-server

    Notes:
    - Regular expressions can be used to define patterns. For example, pattern ".*abc123.*" will match "abc123.com" or "www.abc123.net" etc.
    - The Context http-header-host (see configuration above) checks the string in "Host" in the http get command (see picture below).
    - For troubleshooting, if SRX does not block the URL in spite of the custom signature being configured, collect the packet capture and check that the string written in pattern is included in "Host".


  2. Create application firewall

    Example: Configure application firewall to deny traffic to "abc123.com".

    set security application-firewall rule-sets block rule r1 match dynamic-application custom-http
    set security application-firewall rule-sets block rule r1 then deny
    set security application-firewall rule-sets block default-rule permit

  3. Apply application firewall to security policy

    set security policies from-zone trust to-zone untrust policy tr-un match source-address any
    set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
    set security policies from-zone trust to-zone untrust policy tr-un match application any
    set security policies from-zone trust to-zone untrust policy tr-un then permit application-services application-firewall rule-set block
    set security policies from-zone trust to-zone untrust policy tr-un then log session-close

Verification

When SRX detects the pattern in http get command, the counter ‘Number of sessions matched’ in ‘show security application-firewall rule-set all’ will increase.

root> show security application-firewall rule-set all
Rule-set: block
    Rule: r1
        Dynamic Applications: custom-http
        SSL-Encryption: any
        Action:deny
        Number of sessions matched: 21     <<<
        Number of sessions redirected: 0
Default rule:permit
        Number of sessions matched: 314
        Number of sessions redirected: 0
Number of sessions with appid pending: 0

If ‘then log session-close’ is configured in the security policy when the session was denied by this application firewall, the following close log will be displayed in syslog:

RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed application failure or action: 192.168.50.1/53028->172.27.117.198/80 0x0 junos-http 172.27.117.197/32622->172.27.117.198/80 0x0 source rule R1 N/A N/A 6 tr-un trust untrust 432924 3(533) 1(52) 1 HTTP CUSTOM-HTTP N/A(N/A) ge-0/0/2.0 No
Related Links: