Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to correlate pre-defined Junos firewall applications with Junos AppID based applications

0

0

Article ID: KB26780 KB Last Updated: 14 Aug 2014Version: 2.0
Summary:

When configuring AppSecure features, such as an application firewall, the application firewall rule-set has to be tied to the firewall policy to direct relevant traffic to the application firewall for inspection. When the firewall policy matches, based on the application, customers have to ensure that the firewall application correctly matches with the AppID application to accomplish the required task.

This article provides a procedure for checking the applications, using either edit mode commands or operational mode commands.

Symptoms:

For example, refer to the following configuration:

policy Clients {
    match {
        source-address [ VLAN1 ];
        destination-address VLAN2;
        application junos-ms-rpc-msexchange junos-ms-rpc junos-cifs junos-nbname junos-nbds junos-smb;
    }
then {
    permit {
        application-services
        application-firewall {
            rule-set data-transfer;
        }
    }
}
count;

rule-sets data-transfer {
    rule SMB {
        match {
            dynamic-application junos:SMB;
        }
then {
    permit;
}
    }
rule NETBIOS {
    match {
        dynamic-application [ junos:NBDS junos:NBNAME ];
    }
then {
    permit;
}
}
rule msrpc {
    match {
        dynamic-application-group [ junos:MSRPC ];
    }
then {
    permit;
}
}
rule UNKNOWN {
    match {
        dynamic-application junos:UNKNOWN;
    }
then {
    permit;
}
}
default-rule {
    deny;
}
}

There might be multiple Junos AppID applications that match regular firewall applications. For example, the regular junos-ms-rpc-msexchange firewall application might have a different definition from the junos:MSRPC or junos:MSRPC-UNKNOWN AppID counterparts. In such cases, the configuration may not accomplish the required task.

Cause:

Solution:

The solution is to correlate the definition of the firewall based application with the definition of the AppID application.

To check the definition of the regular firewall application definition using the following command (edit mode command):

#show groups junos-defaults applications

For example:

root@srx-3400# show groups junos-defaults applications
#
# File Transfer Protocol
#
application junos-ftp {
     application-protocol ftp;
     protocol tcp;
     destination-port 21;
}
#
# Trivial File Transfer Protocol
#
application junos-tftp {
    application-protocol tftp;
    protocol udp;
    destination-port 69;
}
#
# Real Time Streaming Protocol
#
application junos-rtsp {
     application-protocol rtsp;
     protocol tcp;
     destination-port 554;
---(more)---[abort]

[edit]
root@srx-3400#

To check the definition of the AppID application, use the following command (operational mode command):

show services application-identification application detail <application_name>

For example:

root@srx-3400> ...on-identification application detail junos:MSRPC
Application Name: junos:MSRPC
Application type: MSRPC
Description: MSRPC (Microsoft Remote Procedure Call) is a modified version of
DCE/RPC. Additions include support for Unicode strings, implicit
handles, inheritance of interfaces (which are extensively used in
DCOM), and complex calculations in the variable-length string and
structure paradigms already present in DCE/RPC.
Application ID: 52
Disabled: No
Number of Parent Group(s): 1
Application Groups:
junos:infrastructure:rpc
Application Tags:
characteristic : Known Vulnerabilities
risk : 1
subcategory : RPC
category : Infrastructure
Port Mapping:
Default ports: UDP/135,TCP/135
Signature:
Port range: TCP/135,137,138,139,445,1024-65535
UDP/135,137,138,139,445,1024-65535
Client-to-server

Verify the definition and configure the applications as required.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search