The following example shows an application protocol definition describing a special FTP application running on port 78:
- [edit applications]
- application my-ftp-app {
- application-protocol ftp;
- protocol tcp;
- destination-port 78;
- timeout 100; # inactivity timeout for FTP service
- }
The following example shows a special ICMP protocol (application-protocol icmp) of type 8 (ICMP echo):
- [edit applications]
- application icmp-app {
- application-protocol icmp;
- protocol icmp;
- icmp-type icmp-echo;
- }
The following example shows a possible application set:
The software includes a predefined set of well-known application protocols. The set includes applications for which the TCP and UDP destination ports are already recognized by stateless firewall filters.
The following example shows a complete configuration for SIP and its related statements:
- [edit]
- applications {
-
- application sip {
- application-protocol sip;
- protocol udp;
- destination-port 5060;
- inactivity-timeout 300;
- learn-sip-register;
- }
- }
- interfaces {
-
- sp-0/2/0 {
-
- services-options {
-
- syslog {
-
- host local {
- services any;
- }
- }
- }
-
- unit 0 {
- family inet;
- }
- }
-
- ge-1/0/0 {
- description amazon_eth2;
-
- unit 0 {
-
- family inet {
-
- service {
-
- input {
- service-set test_sip;
- }
-
- output {
- service-set test_sip;
- }
- }
- address 10.200.1.1/30;
- }
- }
- }
-
- ge-1/1/0 {
- description maxtor_eth1;
-
- unit 0 {
-
- family inet {
- address 10.100.1.1/30;
- }
- }
- }
- }
- services {
-
- stateful-firewall {
-
- rule sip {
- match-direction input-output;
-
- term 0 {
-
- from {
- applications sip;
- }
-
- then {
- accept;
- }
- }
- }
- }
-
- ids {
-
- rule ids {
- match-direction input-output;
-
- term 0 {
-
- then {
- force-entry;
-
- logging {
- threshold 1;
- syslog;
- }
- }
- }
- }
- }
-
- service-set test_sip {
-
- syslog {
-
- host local {
- services any;
- }
- }
- stateful-firewall-rules sip;
- ids-rules ids;
-
- interface-service {
- service-interface sp-0/2/0;
- }
- }
- }