Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration and troubleshooting information for the 'Application Firewall' feature

0

0

Article ID: KB25255 KB Last Updated: 03 Aug 2012Version: 1.0
Summary:
This article provides configuration and troubleshooting information about the Application Firewall feature on SRX devices.
Symptoms:
Configuration and troubleshooting information about the Application Firewall feature on SRX devices.
Cause:

Solution:
To configure this feature, perform the following procedure:

  1. The Application Firewall functionality requires that licenses be installed on the SRX device. To test this feature, you can download the trial licenses via the internet by using the following command:
    user@SRX> request system license update trial 
    user@SRX> show system license
    
    License usage:
    
    Licenses     Licenses  Licenses    Expiry
    
    Feature name           used      installed      needed
    
    idp-sig                1            1           0          2012-02-08 00:00:00 UTC
    
    appid-sig              0            1          0           2012-02-08 00:00:00 UTC
    
  2. If the Application Firewall feature is being used without IDP, then you have to download application-identification signatures. To do so, use the following command:
    user@SRX>request services application-identification download
    The download status of the signatures can be verified via the following command:
    user@SRX>request services application-identification download status
    Downloading application package 2157 succeed
    
    If this feature is used along with IDP, you can use the IDP attack database for it. The signatures can be downloaded as follows:
    user@SRX> request security idp security-package download
    Verify the download status:
    user@SRX> request security idp security-package download status
    
    Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
    
    Version info:2102(Wed Jan 21 12:05:38 2011, Detector=11.6.140110920)
    
    To schedule automatic updates, add the following line (in this example, the update is set for every 36 hours):
    user@SRX#set security idp security-package automatic interval 36 start-time 12-21:02:00
    Install the appl id signatures via the following command:
    user@SRX>request services application-identification install
  3. Configure the rule-sets of the Application Firewall. In the following configuration, the application firewall will inspect the traffic, block Facebook chat, and allow all other traffic:
    root@SRX# show security application-firewall
    rule-sets test {
        rule 1 {
            match {
                dynamic-application junos:FACEBOOK-CHAT;
            }
            then {
                deny;
            }
        }
        default-rule {
            permit;                         
        }
    }
    
    The commands for the same are:
    [edit security application-firewall]
    root@SRX# show | display set 
    set security application-firewall rule-sets test rule 1 match dynamic-application junos:FACEBOOK-CHAT
    set security application-firewall rule-sets test rule 1 then deny
    set security application-firewall rule-sets test default-rule permit
    
  4. . Include the Application Firewall rule-sets in the appropriate security policy, as required. In the following example, the rule-sets have been included in the direction of the Internal LAN (trust zone) across the Internet (untrust zone):

    Note: The application-firewall has to be applied in both directions; that is, also from Internet (untrust zone) to LAN (trust zone).
    root@SRX# show security policies 
    from-zone trust to-zone untrust {
        policy pol {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        application-firewall {
                            rule-set test;
                        }
                    }
                }
            }
    from-zone untrust to-zone trust {
      policy p2 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit{
                application-services {
                        application-firewall {
                            rule-set test;
                      }
                  }
              }
          }    
    
    The commands for the same are:
    [edit security policies]
    root@SRX# show | display set 
    set security policies from-zone trust to-zone untrust policy pol match source-address any
    set security policies from-zone trust to-zone untrust policy pol match destination-address any
    set security policies from-zone trust to-zone untrust policy pol match application any
    set security policies from-zone trust to-zone untrust policy pol then permit application-services
    application-firewall rule-set test
    
    
Verification and Troubleshooting:


  1. Make sure that the DNS server is configured on the SRX device, so as to perform name server lookups. To verify this, use the following command:
    user@SRX# show system name-server 
    4.2.2.2;
    
  2. Make sure that the server URL is configured on the SRX device:
    https://services.netscreen.com/cgi-bin/index.cgi
    
    user@SRX#set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
    
  3. To verify the status of the application firewall feature, use the following commands:

    • user@SRX>show services application-identification counter       
      pic: 0/0
        Counter type                                                      Value
       AI cache hits                                                           0
       AI cache hits by nested application                                     0
       AI cache misses                                                         0
       AI matches                                                              29
       AI uni-matches                                                          0
       AI no-matches                                                           0
       AI partial matches                                                      0
       AI no-partial matches                                                   0
       Sessions that triggered Appid create session API                        0
       Sessions that do not incur signature match or decoding                  0
       Sessions that incur signature match or decoding                         0
       Client-to-server packets processed                                      48
       Server-to-client packets processed                                      42
       Client-to-server layer-7 bytes processed                                112
       Server-to-client layer-7 bytes processed                                101
       Terminal first data packets on both direction                           50
       Unspecified encrypted sessions                                          0
       Encrypted P2P sessions                                                  0
      

    • user@SRX>show services application-identification version
      Application package version: 2157
      
  4. The details of an application, as specified in the application firewall, can be viewed as follows:
    user@SRX>show services application-identification application detail junos:FACEBOOK-CHAT
    Application Name: junos:FACEBOOK-CHAT                                         
    Application type: FACEBOOK-CHAT                                               
    Description: This signature detects and can block usage of the Facebook chat
                 functionality.
    Application ID: 704     
    Disabled: No                 
    Number of Parent Group(s): 1       
    Application Groups:
        junos:social-networking:facebook             
    Application Tags:
        characteristic        : Prone to Misuse                                   
        characteristic        : Known Vulnerabilities                             
        characteristic        : Evasive                                           
        characteristic        : Loss of Productivity                              
        risk                  : 5                                                 
        subcategory           : Facebook                                          
        category              : Social-Networking                                 
    Signature NestedApplication:FACEBOOK-CHAT                                 
        Layer-7 Protocol: HTTP                                                
        Chain Order: Yes        
        Maximum Transactions: 1                   
        Order: 33313             
        Member(s): 2            
            Member 0                        
                Context: http-url-parsed       
                Pattern: /ajax/(chat/(typ|settings|buddy_list|send\d?|history)|presence/reconnect)\.php.*
                        
                Direction: CTS                                   
            Member 1         
                Context: http-header-host      
                Pattern: (.*\.)?(facebook\.com|fbcdn\.net)                    
                Direction: CT
    
    Similarly, any application can be viewed.

  5. A quantitative summary of the inspected traffic can ve viewed by using the command:
    root@SRX-210-HM-3# run show security application-firewall rule-set 1     
    Rule-set: 1
        Rule: 1
            Dynamic Applications: junos:FACEBOOK-CHAT
            Action:deny
            Number of sessions matched: 12
    Default rule:permit
            Number of sessions matched: 15
    Number of sessions with appid pending: 0
    
  6. To validate the traffic that is inspected by the application firewall, traffic logging can be configured to identify the permitted and denied traffic. For more information, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.

    Note: Traffic logging is not recommended on high-end SRX platforms, as the amount of traffic is overwhelming.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search