Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to enable heuristics detection for encrypted data packets in SRX APP-FW

0

0

Article ID: KB31093 KB Last Updated: 22 Aug 2016Version: 1.0
Summary:

This article discusses the use of heuristic detection while using the application-identification feature on your SRX device.

Symptoms:

Peer-to-peer applications such as Skype contain encrypted data packets. The SRX Series devices cannot identify the encrypted data packets with the current application signatures, which are based on regular expression patterns. Heuristics are used to detect such traffic and to improve the detection rate. By default, the feature is disabled on the SRX device.

root> show services application-identification counter
pic: 2/0
Counter type Value
...
Unspecified encrypted sessions 0
Encrypted P2P sessions 0


[flowd]FPC2.PIC0(vty)# show usp appid config

AppId Module Configuration
|
|
--------------------------
Heuristics enabled    no    <<<< Heuristics is disabled.

Solution:
To enable detection of encrypted peer-to-peer applications, use the 'set services application-identification enable-heuristics' command. Junos OS detects encrypted peer-to-peer traffic on TCP and UDP.

After enabling heuristics, the output will appear as follows:

[flowd]FPC2.PIC0(vty)# show usp appid config

AppId Module Configuration
--------------------------
...
Heuristics enabled yes

If a session cannot be identified as known encrypted peer-to-peer traffic, you can assign it to a special application called junos:unspecified-encrypted. Application firewall can configure rules for this application like other dynamic applications.

root> show services application-identification counter
pic: 2/0
Counter type Value
...
Unspecified encrypted sessions 11
Encrypted P2P sessions 0
root> show services application-identification application-system-cache
Application System Cache Configurations:
application-cache: on
nested-application-cache: on
cache-entry-timeout: 3600 seconds
pic: 2/0
Logical system name: root-logical-system
IP address: 119.192.126.8 Port: 13300 Protocol: TCP
Application: UNSPECIFIED-ENCRYPTED

Logical system name: root-logical-system
IP address: 221.151.35.154 Port: 42073 Protocol: TCP
Application: UNSPECIFIED-ENCRYPTED

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search