Understanding Policy Application Timeouts Contingencies

When setting timeouts, be aware of the following contingencies:

• If an application contains several application rule entries, all rule entries share the same timeout. The timeout table is updated for each rule entry that matches the protocol (for UDP and TCP—other protocols use the default). You need to define the application timeout only once. For example, if you create an application with two rules, the following commands will set the timeout to 20 seconds for both rules:
  
  

  user@host# set applications application test protocol tcp destination-port 1035-1035 inactivity-timeout 20

  
  

  user@host# set applications application test term test protocol udp

  
  

  user@host# set applications application test term test source-port 1-65535

  
  

  user@host# set applications application test term test destination-port 1111-1111
• If multiple applications are configured with the same protocol and overlapping destination ports, the latest application timeout configured overrides the others in the port-based table. For example:
  
  

  user@host# set applications application ftp-1 protocol tcp source-port 0-65535 destination-port 2121-2121 inactivity-timeout 10

  
  

  user@host# set applications application telnet-1 protocol tcp source-port 0-65535 designating-port 2100-2148 inactivity-timeout 20

  With this configuration, JUNOS Software applies the 20-second timeout for destination port 2121 in an application group, because the destination port numbers for telnet-1 (2100-2148) overlap those for ftp-1 (2121), and you defined telnet-1 after you defined ftp-1.

  To modify an application timeout when multiple applications use the same protocol and an overlapping destination port range, you must unset the application and reset it with the new timeout value. This is because, during reboot, applications are loaded according to creation time, not modification time.

  To avoid the unintended application of the wrong timeout to an application, do not create applications with overlapping destination port numbers.

• If you unset an application timeout, the default protocol-based timeout in the application entry database is used, and the timeout values in both the application entry and port-based timeout tables are updated with the default value.

  If the modified application has overlapping destination ports with other applications, the default protocol-based timeout might not be the desired value. In that case, reboot JUNOS Software, or set the application timeout again for the desired timeout to take effect.

• When you modify a predefined application and reboot, the modified application might not be the last one in the configuration. This is because predefined applications are loaded before custom applications, and any change made to a custom application, even if made earlier, will show as later than the predefined application change when you reboot.

  For example, suppose you create the following application:

  
  

  user@host# set applications application my-application protocol tcp destination-port 179-179 inactivity-timeout 20

  Later you modify the timeout of the predefined application BGP as follows:

  
  

  user@host# set applications application bgp inactivity-timeout 75

  The BGP application will use the 75-second timeout value, because it is now written to the application entry database. But the timeout for port 179, the port BGP uses, is also changed to 75 in the TCP port-based timeout table. After you reboot, the BGP application will continue to use the 75-second timeout that, as a single application, it gets from the application entry database. But the timeout in the TCP port-based table for port 179 will now be 60. You can verify this by entering the show applications application bgp command.

  The BGP application has no effect on single applications. But if you add BGP or my_application to an application group, the 60-second timeout value will be used for destination port 179. This is because application group timeout is taken from the port-based timeout table, if one is set.

  To ensure predictability when you modify a predefined application timeout, therefore, you can create a similar application, for example:

  
  

  user@host# set applications application my-bgp protocol tcp destination-port 179-179 inactivity-timeout 75

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Security Policy Applications Overview
• Understanding Custom Policy Applications
• Custom Application Mappings
• Understanding Policy Application Timeout Configuration and Lookup
• Example: Adding a Custom Policy Application (CLI)
• Example: Modifying a Custom Policy Application (CLI)