Adding Application Signatures
You can add custom application signatures for applications that are not part of the Juniper Networks predefined application database. When you add custom application signatures, make sure that your application signatures are unique, by providing a unique and relevant name.
You can add custom application signatures by specifying a name, protocol, port number where the application runs, and match criteria.
To create a custom application signature:
- Select Configuration > Shared Objects > Application Signatures.
- Click Create > Signature.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new application signature with your configurations is created. You use this application signature while creating SD-WAN policy and firewall policy intents.
Table 1 provides guidelines on using the fields on the Create Application Signature page.
Field |
Description |
---|---|
Name |
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters. |
Description |
Enter a description for the application signature. |
Signature Order and Priority | |
Order |
Enter the order for the custom application signature. A lower order value has higher priority. This option is used when multiple custom application signatures of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications. Range is 1-50000. |
Priority |
Specify the application signature priority (high or low) over other application signatures. |
Signature Classification | |
Category |
Enter the category of the application signature. For example, Messaging, Web, Infrastructure, Remote-Access, Multimedia, and so on. |
Sub Category |
Enter the subcategory of the application signature. For example, Wiki, File-Sharing, Multimedia, Social-Networking, News, and so on. |
Risk |
Select the level of risk associated with the application signature. For example, low, moderate, high, critical, unsafe, and so on. |
Characteristics |
Enter one or more characteristics of the application signature. For example, supports file transfer, loss of productivity, and so on. |
Application Criteria | Enable one or more application matching criteria:
|
ICMP Mapping |
Click the toggle button to specify the Internet Control Message Protocol (ICMP) value for an application while configuring custom application signatures for application identification. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. The ICMP code and type provide additional specification, for packet matching in an application definition. |
ICMP Type |
Enter an ICMP value for the application. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. Range is 0-254. |
ICMP Code |
Enter an ICMP code for the application. The field provides further information (such as RFCs) about the ICMP type field. Range is 0-254. |
IP Protocol Mapping |
Click the toggle button to specify the IP protocol value for an application. This parameter is used to identify an application based on it’s IP protocol value and is intended only for IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers. |
IP Protocol |
Enter an IP Protocol number for the application. Standard IP protocol numbers map an application to IP traffic. To ensure adequate security, use IP protocol mapping only in your private network for trusted servers. Range is 0-254. You can find a complete list of industry standard protocol numbers at the IANA website. Note:
You cannot use IP protocol numbers 1(ICMP), 6(TCP ) and 17(UDP) for custom application signature creation. Instead, we recommend you to use L7 signature policies for these protocols. |
Address Mapping |
Click the toggle button to specify address mapping information. Layer 3 and Layer 4 address mapping defines an application by matching the destination IP address or port range (optional) of the traffic. Use the address mapping option to configure custom applications signatures when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy while handling traffic from a known application. For more information, see Table 2. Note:
|
L7 Signature |
Click the toggle button to specify the Layer 7-based custom application signatures that are required to identify the multiple applications running on the same L7 protocols. Configure a custom signature based on L7 applications. You create Layer 7-based custom application signatures for the identification of multiple applications running on the same L7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol. For more information, see Table 3. |
Cacheable |
Click the toggle button to enable caching of application identification results on the device. Enable this option to True only when L7 signatures are configured alone in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures. |
Field |
Description |
---|---|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters. |
IP Address |
Enter the destination IPv4 or IPv6 address of the application. |
CIDR |
Enter a CIDR value for the IP Address that you assign to the application. Range for IPv4 address is 1-32. Range for IPv6 address is 1-128. |
TCP Port range |
(Optional) Enter space-separated list of ports or port ranges to match a TCP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535. Example: 80-82 443. |
UDP port range |
(Optional) Enter space-separated list of ports or port ranges ranges to match an UDP destination port for Layer 3 and Layer 4 address-based custom applications. The range is 0-65535. Example: 160-162 260. |
Field |
Description |
---|---|
Over Protocol |
Displays the signature to match the application protocol. Example: HTTP. |
Signature Name |
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters. |
Port Range |
Enter the port range for the application. Range is 0-65535 Example: 80-82,443 |
Add Members | Click the plus icon (+) to add the member details. |
Member No. |
Enter the member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01—m15.) |
Context |
Select the service-specific context.
For possible combinations of context and direction for L7 application creation, refer context (Application Identification). |
Direction |
Select the direction of the packet flow to which the signature must be matched.
|
Pattern |
Enter the deterministic finite automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128. |