Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] AppFW 'Underlying consolidated Protocols/ports application is dependent on' section in Application Signature

0

0

Article ID: KB35589 KB Last Updated: 21 Mar 2020Version: 1.0
Summary:

Starting from Junos 18.2 with unified policy, a new section called, 'Underlying consolidated Protocols/ports application is dependent on" is shown in application Signature.  This defines the protocol/ports to be inspected depending on application signature added in unified policy.

Symptoms:

The example below shows application signature 'junos:GOOGLE-TRUSTED-STORE' in 15.1X49 and 19.3R1.  A new section called, 'Underlying consolidated Protocols/ports application is dependent on' is shown in 19.3R1 but not 15.1X49.

vSRX running 15.1X49 - only Layer 7 Protocols shown:

user@router> show services application-identification application detail junos:GOOGLE-TRUSTED-STORE 
Application Name: junos:GOOGLE-TRUSTED-STORE                                  
Application type: GOOGLE-TRUSTED-STORE                                        
Description: Google Trusted Store classifies access to the Google Trusted Store web API.
Application ID: 2819    
Priority: high    
Order: 0       
Disabled: No                 
Cacheable: Yes  
Activation Date: 2016-04-25      
Last Modified: 2016-10-17      
Number of Parent Group(s): 1       
Application Groups:
    junos:web                                    
Application Tags:
    risk                  : 2                                                 
    subcategory           : miscellaneous                                     
    category              : Web                                               
Layer-7 Protocol(s):
    Protocol: GOOGLE-GEN  / 943        
Port Mapping:
    Default ports: N/A

 

SRX300 running 19.3R1 - underlying protocols/ports dependent shown:

user@router> show services application-identification application detail junos:GOOGLE-TRUSTED-STORE    
Application Name: junos:GOOGLE-TRUSTED-STORE                                  
Application type: GOOGLE-TRUSTED-STORE                                        
Description: Google Trusted Store classifies access to the Google Trusted Store web API.
Application ID: 2819    
Priority: high    
Order: 0       
Disabled: No                 
Cacheable: Yes  
Activation Date: 2016-04-25      
Last Modified: 2016-10-17      
Number of Parent Group(s): 1       
Application Groups:
    junos:web                                    
Application Tags:
    risk                  : 2                                                 
    subcategory           : miscellaneous                                     
    category              : Web                                               
Underlying consolidated Protocols/ports application is dependent on:
    Protocols:
        Protocol: junos:GOOGLE-GEN / 943        
        Protocol: junos:STUN  / 201        
        Protocol: junos:UDP   / 216        
        Protocol: junos:TCP   / 205        
        Protocol: junos:HTTP-PROXY / 2956       
        Protocol: junos:SSL   / 199        
        Protocol: junos:SPDY  / 1469       
        Protocol: junos:POSTGRESQL / 150        
        Protocol: junos:HTTPS / 68         
        Protocol: junos:HTTP  / 67         
        Protocol: junos:NET-PROXY / 2629       
        Protocol: junos:HTTP2 / 2553       
        Protocol: junos:HTTP-TUNNEL / 750        
        Protocol: junos:COTP  / 22         
        Protocol: junos:RTSP  / 176        
        Protocol: junos:RTP   / 175        
        Protocol: junos:DTLS  / 1291       
        Protocol: junos:RTMP  / 337        
        Protocol: junos:QUIC  / 2521       
        Protocol: junos:JABBER / 94         
    TCP Ports:
        Port: 443         
        Port: 554         
        Port: 80          
        Port: 3128        
        Port: 8000        
        Port: 8080        
    UDP Ports:                          
        Port: 554       
 
Layer-7 Immediate Protocol(s):
    Protocol: GOOGLE-GEN  / 943        
Application Specific Ports:
    Default ports: N/A
Signature:
    Port range: N/A
    Client-to-server
    Order: 2        
Cause:

With Unified Policy introduced from 18.2, when application is defined with junos-defaults, the protocol/ports inspected by policy depends on Application signature.

user@router> show security policies from-zone trust to-zone untrust policy unified-pol       
match {
    source-address any;
    destination-address any;
    application junos-defaults;
    dynamic-application junos:GOOGLE-TRUSTED-STORE;
}
then {
    permit;
    log {
        session-init;
    }
}
Solution:

TCP/UDP port in Policy depends on underlying consolidated Protocols/ports in Application Signature.

user@router> show security policies detail policy-name unified-pol 
Policy: unified-pol, action-type: permit, State: enabled, Index: 7, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 3
  From zone: trust, To zone: untrust
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4: 0.0.0.0/0 
    any-ipv6: ::/0
  Application: junos-defaults
    IP protocol: TCP, ALG: 0, Inactivity timeout: 1800
      Destination ports: 80, 443, 554, 3128, 8000, 8080
    IP protocol: UDP, ALG: 0, Inactivity timeout: 60
      Destination ports: 554

  Dynamic Application: 
    junos:GOOGLE-TRUSTED-STORE: 2819
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
  Session log: at-create

Note: The above output is taken from SRX300 running 19.3R1.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search