Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] What information needs to be collected for Application Firewall related issues?

0

0

Article ID: KB31042 KB Last Updated: 14 Oct 2016Version: 2.0
Summary:

This article discusses the information you should collect when troubleshooting issues related to the Application Firewall feature.

Symptoms:

This article is intended to provide users with the commands/outputs from the SRX firewall that will help in troubleshooting issues with the following scenarios:

  1. Application Identification signature database update failure.
  2. Application-Firewall configuration / compilation issues.
  3. Signature does not detect the application correctly.
  4. Performance issues caused by the application.
Solution:
Collect the following information from the firewall:
  • RSI output (request support information) 
  • Complete output of /var/log and /var/db/appidd/db

In addition to the above logs, you also need the following information based on the different scenarios described.

Application Identification signature database update failure
  1. request services application-identification download
    request services application-identification download status

  2. request services application-identification install
    request services application-identification install status

  3. show services application-identification version

  4. Trace options collected for Application-Identification Service.

Application-Firewall configuration / compilation issues

  1. CLI ouput showing the part of the configuration failing including the error.

  2. show services application-identification application detail <name of the signature that fails in compilation>

  3. Trace options collected for Application-Identification Service.

Signature does not detect the application correctly
  1. Clear the Application-System-Cache on the firewall and then initiate the traffic again to see if the trafic is detected on the device properly.
    clear services application-identification application-system-cache

    After initiating the traffic, see if the cache entry is added:
    show services application-identification application-system-cache

  2. Verify that the signature behavior is seen consistently across multiple browsers.

  3. Enable security application-firewall and service application-identification trace-options to check the errors.

Performance issues caused due to the application.
  1. Collect the trace-options with proper packet filters set for a concerned traffic:
    set security traceoptions flag all
    set security traceoptions file <name>

      2. Enable security application-firewall and service application-identification trace-options to check the errors

      3. Collect the following outputs from the firewall multiple times  :-

     show services application-identification status
     show services application-identification statistics
     show services application-identification counters
     show security application-firewall rule-set all
     show security flow session application-firewall application-firewall-rule-set <app fw rule set name >



Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search