Knowledge Search


×
 

[SRX] How to configure advanced policy-based routing (APBR) with a custom application signature

  [KB31328] Show Article Properties


Summary:

Beginning with Junos 15.1X49-D60, Application Identification (AppID) supports policy-based routing called Advanced Policy-Based Routing (APBR).  This article provides an example of how to configure and verify APBR using a custom application signature.

 

Solution:

Topology

 

 

SRX has two routes to reach the HTTP server in this topology. One is via the blue route, which is the default route, and another is via the red route. In order to avoid traffic congestion, SRX can forward traffic based on an application signature to a preferred route by using a feature called APBR.

The AppID signature contains a major application as a predefined application. However, if the application is specific to your environment, a custom AppID signature can be created to distinguish the application on SRX.

For details of APBR, see Understanding Advanced Policy-Based Routing.

Goal

To forward HTTP traffic accessing ‘http://abc123.com’ by using APBR with a custom application signature

Prerequisite

An AppID license is required to configure the custom AppID signature. Verify that the license is installed in SRX with the command, show system license.

root> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  appid-sig                             0            1           0    2017-11-24 00:00:00 UTC   

For information about AppID license, refer to Understanding the Junos OS Application Package Installation.

Configuration

  1. Define a custom signature.

    Example: Create 'custom-http'


    set services application-identification application custom-http cacheable
    set services application-identification application custom-http over HTTP signature s1 member m01 context http-header-host
    set services application-identification application custom-http over HTTP signature s1 member m01 pattern ".*abc123.*"
    set services application-identification application custom-http over HTTP signature s1 member m01 direction client-to-server

     

    Note that APBR requires an application cache to work, so remember to configure the "cacheable" command. This is the blue text in the example above.

    Notes:

    - Regular expressions can be used to define patterns. For example, pattern ".*abc123.*" will match "abc123.com" or "www.abc123.net" etc.

    - In configuration, the Context, http-header-host, checks the string in "Host" in the http get command.

    - For troubleshooting, if SRX does not block the URL in spite of the custom signature being configured, collect the packet capture and check that the string written in pattern is included in "Host".

     

     

    For more details, refer to Example: Configuring Junos OS Application Identification Custom Application Signatures.

  2. Configure APBR and related configurations.

    Create an APBR profile:

      set security advance-policy-based-routing profile p1 rule r1 match dynamic-application custom-http
     set security advance-policy-based-routing profile p1 rule r1 then routing-instance R1

    Create a routing instance and import route from inet0 to R1:

      set routing-instances R1 instance-type forwarding
     set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
     
     set routing-options interface-routes rib-group inet apbr_group
     set routing-options rib-groups apbr_group import-rib inet.0
     set routing-options rib-groups apbr_group import-rib R1.inet.0

    Apply the APBR profile to a security zone:

      set security zones security-zone trust interfaces ge-0/0/2.0
     set security zones security-zone trust advance-policy-based-routing-profile p1

      Here is the rest of the configuration for SRX in this topology, for reference:

      set interfaces ge-0/0/2 unit 0 family inet address 192.168.50.254/24
     set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.254/24
     set interfaces ge-0/0/5 unit 0 family inet address 192.168.0.254/24
     set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
     set security zones security-zone untrust interfaces ge-0/0/3.0
     set security zones security-zone untrust interfaces ge-0/0/5.0
     set security policies from-zone trust to-zone untrust policy tr-un match source-address any
     set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
     set security policies from-zone trust to-zone untrust policy tr-un match application anycation

The command show security advance-policy-based-routing statistics displays the statistics counter for APBR.

root> show security advance-policy-based-routing statistics
Advance Profile Based Routing statistics:
  Session Processed:                     5529
  ASC Success:                           3113
  Rule match success:                    107  <<< When SRX detects application traffic matches APBR profile, this counter will increase.
  Route  modified:                       107
  AppID Requested:                       2416

Also, the command show security flow session  might help you to see whether or not the specific traffic is sent from the expected interface.

root> show security flow session
Session ID: 279004, Policy name: tr-mg/6, Timeout: 298, Valid
  In: 192.168.50.1/52529 --> 172.27.117.198/80;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 10, Bytes: 3241,
  Out: 172.27.117.198/80 --> 192.168.0.30/32368;tcp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 9, Bytes: 3577,

 

Modification History:

2018-09-28: Configuration corrected in Solution; a few other minor (non-technical) modifications made

 

Related Links: