Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Application Identification

Application Identification enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. Using several different identification mechanisms, App ID detects the applications on your network regardless of the port, protocol, and other evasive tactics used. For more information, see the following topics:

Understanding Application Identification Techniques

Historically, firewalls have used the IP address and port numbers as a way of enforcing policies. That strategy is based on the assumption that users connect to the network from fixed locations and access particular resources using specific port numbers.

Today, wireless networking and mobile devices require a different strategy. The way in which devices connect to the network changes rapidly. An individual can connect to the network using multiple devices simultaneously. It is no longer practical to identify a user, application, or device by a group of statically allocated IP addresses and port numbers.

This topic includes the following section:

Junos OS Next-Generation Application Identification

Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor.

Junos OS application identification recognizes Web-based and other applications and protocols at different network layers using characteristics other than port number. Applications are identified by using a protocol bundle containing application signatures and parsing information. The identification is based on protocol parsing and decoding and session management.

The detection mechanism has its own data feed and constructs to identify applications.

The following features are supported in application identification:

  • Support for protocols and applications, including video streaming, peer-to-peer communication, social networking, and messaging

  • Identification of services within applications

  • Ability to distinguish actions launched within an application (such as login, browse, chat, and file transfer)

  • Support for all versions of protocols and application decoders and dynamic updates of decoders

  • Support for encrypted and compressed traffic and most complex tunneling protocols

  • Ability to identify all protocols from Layer 3 to Layer 7 and above Layer 7

Benefits of Application Identification

  • Provides granular control over applications, including video streaming, peer-to-peer communication, social networking, and messaging. It also identifies services, port usage, underlying technology, and behavioral characteristics within applications. This visibility enables you to block evasive applications inline at the SRX Series firewall.

  • Identifies applications and allows, blocks, or limits applications— regardless of port or protocol, including applications known for using evasive techniques to avoid identification. This identification helps organizations control the types of traffic allowed to enter and exit the network.

Application Signature Mapping

Application signature mapping is a precise method of identifying the application that issued traffic on the network. Signature mapping operates at Layer 7 and inspects the actual content of the payload.

Applications are identified by using a downloadable protocol bundle. Application signatures and parsing information of the first few packets are compared to the content of the database. If the payload contains the same information as an entry in the database, the application of the traffic is identified as the application mapped to that database entry.

Juniper Networks provides a predefined application identification database that contains entries for a comprehensive set of known applications, such as FTP and DNS, and applications that operate over the HTTP protocol, such as Facebook, Kazaa, and many instant messaging programs. A signature subscription allows you to download the database from Juniper Networks and regularly update the content as new predefined signatures are added.

Application Identification Match Sequence

Figure 1 shows the sequence in which mapping techniques are applied and how the application is determined.

Figure 1: Mapping SequenceMapping Sequence

In application identification, every packet in the flow passes through the application identification engine for processing until the application is identified. Application bindings are saved in the application system cache (ASC) to expedite future identification process.

Application signatures identify an application based on protocol grammar analysis in the first few packets of a session. If the application identification engine has not yet identified the application, it passes the packets and waits for more data.

The application identification module matches applications for both client-to-server and server-to-client sessions.

Once the application is determined, AppSecure service modules can be configured to monitor and control traffic for tracking, prioritization, access control, detection, and prevention based on the application ID of the traffic.

  • Application Tracking (AppTrack)— Tracks and reports applications passing through the device.

  • Intrusion Detection and Prevention (IDP)— Applies appropriate attack objects to applications running on nonstandard ports. Application identification improves IDP performance by narrowing the scope of attack signatures for applications without decoders.

  • Application Firewall (AppFW)— Implements an application firewall using application-based rules.

  • Application Quality of Service (AppQoS)— Provides quality-of-service prioritization based on application awareness.

  • Advanced policy-based routing (APBR)— Classifies session based on applications and applies the configured rules to reroute the traffic.

  • Application Quality of Experience (AppQoE)— Monitors the performance of applications, and based on the score, selects the best possible link for that application traffic.

Understanding the Junos OS Application Identification Database

A predefined signature database is available on the Juniper Networks Security Engineering website. This database includes a library of application signatures. See Application Signatures for more details. These signature pages will give you visibility into the application category, group, risk-level, ports, and so on.

The predefined signature package provides identification criteria for known application signatures and is updated periodically.

Whenever new applications are added, the protocol bundle is updated and generated for all relevant platforms. It is packaged together with other application signature files. This package will be available for download through the security download website.

A subscription service allows you to regularly download the latest signatures for up-to-date coverage without having to create entries for your own use.

Application identification is enabled by default and is automatically turned on when you configure Intrusion Detection and Prevention (IDP), AppFW, AppQoS, or AppTrack.

Note:

Updates to the Junos OS predefined application signature package are authorized by a separately licensed subscription service. You must install the application identification application signature update license key on your device to download and install the signature database updates provided by Juniper Networks. When your license key expires, you can continue to use the locally stored application signature package contents but you cannot update the package.

Disabling and Reenabling Junos OS Application Identification

Application identification is enabled by default. You can disable application identification with the CLI.

To disable application identification:

If you want to reenable application identification, delete the configuration statement that specifies disabling of application identification:

If you are finished configuring the device, commit the configuration.

To verify the configuration, enter the show services application-identification command.

Understanding the Application System Cache

Application system cache (ASC) saves the mapping between an application type and the corresponding destination IP address, destination port, protocol type, and service. Once an application is identified, its information is saved in the ASC so that only a matching entry is required to identify an application running on a particular system, thereby expediting the identification process.

By default, the ASC saves the mapping information for 3600 seconds. However, you can configure the cache timeout value by using the CLI.

You can use the [edit services application-identification application-system-cache-timeout] command to change the timeout value for the application system cache entries. The timeout value can be configured from 0 through 1,000,000 seconds. The ASC session might expire after 1000,000 seconds.

ASC entries expire after the configured ASC timeout. ASC entries are not refreshed even when there are cache hits (matching entry in ASC found) during the timeout period.

Note:

When you configure a new custom application signature or modify an existing custom signature, all the existing application system cache entries for predefined and custom applications will be cleared.

Note:

When you delete or disable a custom application signature, and the configuration commit fails, the application system cache (ASC) entry is not cleared completely; instead, a base application in the path of custom application will be reported in ASC.

Enabling or Disabling Application System Cache for Application Services

Starting in Junos OS Release 18.2R1, the default behavior of the ASC is changed as follows:

  • Before Junos OS Release 18.2R1—ASC is enabled by default for all services including security services.
  • From Junos OS Release 18.2R1 onwards—ASC is enabled by default; note the difference in security services lookup:

    • ASC lookup for security services is not enabled by default. That is—security services including security policies, application firewall (AppFW), application tracking (AppTrack), application quality of service (AppQoS), Juniper ATP Cloud, IDP, and Content Security do not use the ASC by default.

    • ASC lookup for miscellaneous services is enabled by default. That is—miscellaneous services including advanced policy-based routing (APBR) use the ASC for application identification by default.

Note:

The change in the default behavior of the ASC affects the legacy AppFW functionality. With the ASC disabled by default for the security services starting in Junos OS Release 18.2 onward, AppFW will not use the entries present in the ASC.

You can revert to the ASC behavior as in Junos OS releases before Release 18.2 by using the set services application-identification application-system-cache security-services command.

CAUTION:

The security device might become susceptible to application evasion techniques if the ASC is enabled for security services. We recommend that you enable the ASC only when the performance of the device in its default configuration (disabled for security services) is not sufficient for your specific use case.

Use the following commands to enable or disable the ASC:

  • Enable the ASC for security services:

  • Disable the ASC for miscellaneous services:

  • Disable the enabled ASC for security services:

  • Enable the disabled ASC for miscellaneous services:

You can use the show services application-identification application-system-cache command to verify the status of the ASC.

The following sample output provides the status of the ASC:

In releases before Junos OS Release 18.2R1, application caching was enabled by default. You can manually disable it by using the set services application-identification no-application-system-cache command.

Verifying Application System Cache Statistics

Purpose

Verify the application system cache (ASC) statistics.

Note:

The application system cache will display the cache for application identification applications.

Action

From CLI operation mode, enter the show services application-identification application-system-cache command.

Sample Output

command-name

Meaning

The output shows a summary of the ASC statistics information. Verify the following information:

  • IP address—Displays the destination address.

  • Port—Displays the destination port on the server.

  • Protocol—Displays the protocol type on the destination port.

  • Application—Displays the name of the application identified on the destination port.

Note:

On for SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices, when there are a large number of ASC entries (10,000 or more), and the entries are to be listed in the output for the command show services application-identification application-system-cache, a CLI session timeout occurs.

Onbox Application Identification Statistics

Application Identification services provide statistical information per session. These statistics provide customers with an application usage profile. The Onbox Application Identification Statistics feature adds application-level statistics to the AppSecure suite. Application statistics allow an administrator to access cumulative statistics as well as statistics accumulated over user-defined intervals.

With this feature, the administrator can clear the statistics and configure the interval values while maintaining bytes and session count statistics. Because the statistics count occurs at session close event time, the byte and session counts are not updated until the session closes. Juniper Networks security devices support a history of eight intervals that an administrator can use to display application session and byte counts. Starting in Junos OS 18.3R1, the security devices support a history of one interval to display application session and byte counts.

If application grouping is supported in your configuration of Junos OS, then the Onbox Application Identification Statistic feature supports onbox per-group matching statistics. The statistics are maintained for predefined groups only.

Reinstalling an application signature package will not clear the application statistics. If the application is disabled, there will not be any traffic for that application, but the application is still maintained in the statistics. It does not matter if you are reinstalling a predefined application, because applications are tracked according to application type. For predefined group statistics, reinstalling a security package will not clear the statistics. However, any changes to group memberships are updated. For example, junos:web might have 50 applications in the current release and 60 applications following an upgrade. Applications that are deleted and application groups that are renamed are handled in the same way as applications that are added.

The Application Identification module maintains a 64-bit session counters for each application on each Services Processing Unit (SPU). The counter increments when a session is identified as a particular application. Another set of 64-bit counters aggregates the total bytes per application on the SPU. Counters for unspecified applications are also maintained. Statistics from multiple SPUs for both sessions and bytes are aggregated on the Routing Engine and presented to the users.

Individual SPUs have interval timers to roll over statistics per interval time. To configure the interval for statistics collection, use the set services application-identification statistics interval time command. Whenever the Routing Engine queries for the required interval, the corresponding statistics are fetched from each SPU, aggregated in the Routing Engine and presented to the user.

Use the clear services application-identification statistics to clear all application statistics such as cumulative, interval, applications, and application groups.

Use the clear services application-identification counter command to reset the counters manually. Counters reset automatically when a device is upgraded or rebooted, when flowd restarts, or when there is a change in the interval timer.

Use the set services application-identification application-system-cache-timeout value to specify the timeout value in seconds for the application system cache entries.

Starting from Junos OS Release 15.1X49-D120, on all SRX Series Firewalls, the default time interval for application identification statistics collection time is changed from 1 minute to 1440 minutes.

Configuring IMAP Cache Size

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients for e-mail storage and retrieval services. IMAP cache is used for protocol parsing and context generation. It stores parsing related information of an email.

Starting from Junos OS Release 15.1X49-D120, you can configure to limit the maximum number of entries in the IMAP cache and specify the timeout value for the entries in the cache.

You can use the following commands to modify the settings for IMAP cache:

set services application-identification imap-cache imap-cache-size size

set services application-identification imap-cache imap-cache-timeout time in seconds

Example:

In this example, the IMAP cache size is configured to store 50,000 entries.

In this example, time out period is configured to 600 seconds during which a cache entry remains in IMAP cache.

Understanding Jumbo Frames Support for Junos OS Application Identification Services

Application identification support the larger jumbo frame size of 9192 bytes. Although jumbo frames are enabled by default, you can adjust the maximum transmission unit (MTU) size by using the [set interfaces] command. CPU overhead can be reduced while processing jumbo frames.

Application Identification Inspection Limit

Starting in Junos OS Releases 15.1X49-D200 and 19.4R1, you have the flexibility to configure the application identification inspection limits:.

  • Inspection Limit for TCP and UDP Sessions

    You can set the byte limit and the packet limit for application identification (AppID) in a UDP or in a TCP session. AppID concludes the classification based on the configured inspection limit. On exceeding the limit, AppID terminates the application classification.

    If AppID does not conclude the final classification within the configured limits, and a pre-matched application is available, AppID concludes the application as the pre-matched application. Otherwise, the application is concluded as junos:UNKNOWN provided the global AppID cache is enabled. The global AppID cache is enabled by default.

    To configure the byte limit and the packet limit, use the following configuration statements from the [edit] hierarchy:

    Table 1 provides the range and default value for configuring the byte limit and the packet limit for TCP and UDP sessions.

    Table 1: Maximum Byte Limit and Packet Byte Limit for TCP and UDP Sessions

    Session

    Limit

    Range

    Default Value

    TCP

    Byte limit

    0 through 4294967295

    6000

    For Junos OS Release 15.1X49-D200, the default value is 10000.

    Packet limit

    0 through 4294967295

    Zero

    UDP

    Byte limit

    0 through 4294967295

    Zero

    Packet limit

    0 through 4294967295

    10

    For Junos OS Release 15.1X49-D200, the default value is 20.

    The byte limit excludes the IP header and the TCP/UDP header lengths.

    If you set the both the byte-limit and the packet-limit options, AppID inspects the session until both the limits are reached.

    You can disable the TCP or UDP inspection limit by configuring the corresponding byte-limit and the packet-limit values to zero.

  • Global Offload Byte Limit (Other Sessions)

    You can set the byte limit for the AppID to conclude the classification and identify the application in a session. On exceeding the limit, AppID terminates the application classification and takes one of the following decisions:

    • If a pre-matched application is available, AppID concludes the application classification as the pre-matched application in following cases:

      • When AppID does not conclude the final classification within the configured byte limit

      • When the session is not offloaded due to tunnelling behavior of some applications

    • If a pre-matched application is not available, AppID concludes the application as junos:UNKNOWN, provided the global AppID cache is enabled. The global AppID cache is enabled by default. See Enabling or Disabling Application System Cache for Application Services.

    To configure the byte limit, use the following configuration statement from the [edit] hierarchy:

    The default value for the global-offload-byte-limit option is 10000.

    You can disable the global offload byte limit by configuring the global-offload-byte-limit value to zero.

    The byte limit excludes the IP header and the TCP/UDP header lengths.

Enable Performance Mode Option

Starting in Junos OS Releases 15.1X49-D200 and 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

If your configuration includes enabled performance mode option with max-packet-threshold in Junos OS 15.1X49-D200 and 19.4R1 releases, AppID concludes the application classification on reaching the lowest value configured in the TCP or UDP inspection limit or global offload byte limit, or in the maximum packet threshold for DPI performance mode option.

Application Identification Support for Applications Hosted on Content Delivery Network (CDN)

Starting in Junos OS Release 20.1R1 and 19.1R3, you can enable application identification (AppID) to classify a web application that is hosted on a content delivery network (CDN) such as AWS, Akamai, Azure, Fastly, and Cloudflare and so on accurately. Use the following configuration statement to enable CDN application classification:

When you apply the configuration, AppID identifies and classifies actual applications that are hosted on the CDN.

Maximum Memory Limit for DPI

Starting in Junos OS Release 20.1R1 and 19.1R3, you can configure the maximum memory limit for deep packet inspection (DPI) by using the following configuration statement:

You can set 1 through 200000 MB as memory value.

Once the JDPI memory consumption reaches to 90% of the configured value, then DPI stops processing new sessions.

Improving the Application Traffic Throughput

The application traffic throughput can be improved by setting the deep packet inspection (DPI) in performance mode with default packet inspection limit as two packets, including both client-to-server and server-to-client directions. By default, performance mode is disabled on security devices.

To improve the application traffic throughput:

  1. Enable the DPI performance mode.
  2. (Optional) You can set the maximum packet threshold for DPI performance mode, including both client-to-server and server-to-client directions.

    You can set the packet inspection limit from 1 through 100.

    Starting in Junos OS Releases 15.1X49-D200 and 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. This option was used for setting the maximum packet threshold for the DPI performance mode.

  3. Commit the configuration.

Use the show services application-identification status command to display detailed information about application identification status.

show services application-identification status (DPI Performance Mode Enabled)

The DPI Performance mode field displays whether the DPI performance mode is enabled or not. This field is displayed in the CLI command output only if the performance mode is enabled.

If you want to set DPI to default accuracy mode and disable the performance mode, delete the configuration statement that specifies enabling of the performance mode:

To disable the performance mode:

  1. Delete the performance mode.

  2. Commit the configuration.

Packet Capture of Unknown Application Traffic Overview

You can use the packet capture of unknown applications feature to gather more details about an unknown application on your security device. Unknown application traffic is the traffic that does not match an application signature.

Once you’ve configured packet capture options on your security device, the unknown application traffic is gathered and stored on the device in a packet capture file (.pcap). You can use the packet capture of an unknown application to define a new custom application signature. You can use this custom application signature in a security policy to manage the application traffic more efficiently.

You can send the .pcap file to Juniper Networks for analysis in cases where the traffic is incorrectly classified, or to request creation of an application signature.

Benefits of Packet Capture of Unknown Application Traffic

You can use the packet capture of unknown application traffic to:

  • Gather more insight about an unknown application

  • Analyze unknown application traffic for potential threats

  • Assist in creation of security policy rules

  • Enable custom application signature creation

Note:

Implementing security policies that block all unknown application traffic could cause issues with network-based applications. Before applying these types of policies, be sure to validate that this approach does not cause issues in your environment. You must carefully analyze the unknown application traffic, and define the security policy accordingly.

Configure Packet Capture For Unknown Application Traffic

Before You Begin

To enable automatic packet capture of unknown application traffic, you must:

Overview

In this example, you’ll learn how to configure automated packet capture of unknown applications on your security device by completing the following steps:

  • Set packet capture options at global level or at a security policy level.

  • Configure packet capture mode

  • (Optional) Configure packet capture file options

  • Access the generated packet capture file (.pcap file)

Configuration

To learn about packet capture configuration options, see packet-capture before you begin.

Packet Capture for Unknown Applications Globally

Step-by-Step Procedure
  • To enable packet capture at a global level, use the following command:

When you enable packet capture at the global level, your security device generates a packet capture for all sessions that contain unknown application traffic.

Packet Capture for Unknown Applications At a Security Policy Level

Step-by-Step Procedure
  • Configure packet capture at a security policy level, use the following procedure. In this example, you’ll enable packet capture of unknown application traffic at the security policy P1.

    To enable packet capture of unknown application traffic at the security policy level, you must include junos:UNKNOWN as the dynamic-application match conditions.

    When you configure the security policy (P1), the system captures the packet details for the application traffic that matches the security policy match criteria.

Selecting Packet Capture Mode

You can capture the packets for the unknown application traffic in either of the following modes:

  • ASC mode—Captures packets for unknown applications when the application is classified as junos:UNKNOWN and has a matching entry in the application system cache (ASC). This mode is enabled by default.

  • Aggressive mode—Captures all traffic before AppID has finished classification. In this mode, the system captures all application traffic regardless of an available ASC entry. Packet capture begins from the first packet of the first session. Note that aggressive mode is significantly more resource-intensive and should be used with caution.

    To enable aggressive mode, use the following command:

    We do not recommend using aggressive mode unless you need to capture the first occurrence of a flow. As noted above, the default behavior of the device relies on the ASC.

Define Packet Capture Options (Optional)

Step-by-Step Procedure

Optionally, you can set the following packet capture parameters. Otherwise, the default options described in packet-capture are used for this feature. In this example, you define packet capture options such as maximum packet limit, maximum byte limit, and number of packet capture (.pcap) files.

  1. Set the maximum number of UDP packets per session.

  2. Set the maximum number of TCP bytes per session.

  3. Set the maximum number of packet capture (.pcap) files to be created before the oldest one is overwritten and rotated out.

Results

From configuration mode, confirm your configuration by entering the show services application-identification packet-capture command and show security policies hierarchy level. If the output does not display the intended configuration, follow the configuration instructions in this example to correct it.

The following configuration shows an example of unknown application packet capture at the global level with optional configurations:

The following configuration shows an example of unknown application packet capture at a security policy level with optional configurations:

If you are done configuring the device, enter commit from configuration mode.

Accessing Packet Capture Files (.pcaps)

After you complete the configuration and commit it, you can view the packet capture (.pcap) file. The system generates a unique packet capture file for each destination IP address, destination port, and protocol.

Step-by-Step Procedure

To view the packet capture file:

  1. Navigate to the directory where .pcap files are stored on the device.

  2. Locate the .pcap file.

    The .pcap file is saved in destination-IP-address. destination-port.protocol. pcap format. Example: 142.250.31.156_443_17.pcap.

    You can download the .pcap file by using SFTP or SCP and view it with Wireshark or your favorite network analyzer.

    Figure 2 shows a sample .pcap file generated for the unknown application traffic.

    Figure 2: Sample Packet Capture FileSample Packet Capture File
    Note:

    In situations where packet loss is occurring, the device may not be able to capture all relevant details of the flow. In this case, the .pcap file will only reflect what the device was able to ingest and process.

The security device saves the packet capture details for all traffic that matches the three match criteria (destination IP address, destination port, and protocol) in the same file regardless of global or policy-level configuration. The system maintains the cache with the destination IP address, destination port, and the protocol and does not accept the repeated capturing of the same traffic which exceeds the defined limit. You can set the packet capture file options as in packet-capture.

Verification

Viewing Packet Capture Details

Purpose

View the packet capture details to confirm that your configuration is working.

Action

Use the show services application-identification packet-capture counters command.

Meaning

From this sample output, you can get details such as the number of sessions being captured, and the number of sessions already captured. For more details about the packet capture counters, see show services application-identification packet-capture counters.

Packet Capture of Unknown Applications Details per Session

Starting in Junos OS Release 21.1, your security device stores the packet capture of unknown applications details per session. As a result of this change, the packet capture (.pcap) file now includes the session ID in the file name. That is—destination-IP-address_destination-port_protocol_session-id. pcap in /var/log/pcap location.

By storing the packet capture per session, the .pcap file size is reduced as it saves details per session only.

In addition, we’ve enhanced packet capture of unknown application functionality to capture unknown SNI details

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.4R1
Starting in Junos OS Releases 15.1X49-D200 and 19.4R1, you have the flexibility to configure the application identification inspection limits:
19.4R1
Starting in Junos OS Releases 15.1X49-D200 and 19.4R1, the maximum packet threshold for DPI performance mode option set services application-identification enable-performance-mode max-packet-threshold value is deprecated
18.2R1
Starting in Junos OS Release 18.2R1, the default behavior of the ASC is changed
18.2R1
In releases before Junos OS Release 18.2R1, application caching was enabled by default. You can manually disable it by using the set services application-identification no-application-system-cache command.
15.1X49-D120
Starting from Junos OS Release 15.1X49-D120, you can configure to limit the maximum number of entries in the IMAP cache and specify the timeout value for the entries in the cache.