Predefined and Custom Application Groups for Application Identification
You can define an application group for both predefined applications, as well as custom applications. An application group contains applications that need similar treatment when defining a security policy. For more information, see the following topics:
Customizing Application Groups for Junos OS Application Identification
In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies.
Application group support associates related applications under a single name for simplified, consistent reuse when using any application services.
As the predefined signature database changes, the content of a predefined application group can be modified to include new signatures
An application group can contain applications and groups simultaneously. It is possible to assign one application to multiple groups. There is no limit to the number of dynamic application groups contained in one rule.
The hierarchy of application groups resembles a tree structure with associated applications as the leaf nodes. The group any refers to the root node. The group unassigned is always situated one level from the root and initially contains all applications. When a group is defined, applications are assigned from the unassigned group to the new group. When a group is deleted, its applications are moved back to the unassigned group.
All predefined application groups have the prefix “junos“ in the application group name to prevent naming conflicts with custom application groups. You cannot modify the list of applications within a predefined application group. However, you can copy a predefined application group to use it as a template for creating a custom application group.
To customize a predefined application group, you
must first disable the predefined group. Note that a disabled predefined
application group remains disabled after an application database update.
You can then use the operational command request services application-identification
group to copy the disabled predefined application group. The
copied group is placed in the configuration file, and the prefix “junos”
is changed to “my”. At this point, you can modify the
list of applications in “my” application group and rename
the group with a unique name.
To reassign an application from one custom group to another, you must remove the application from its current custom application group, and then reassign it to the other.
Starting in Junos OS Release 18.2R2 and Junos OS Release 18.4R1, encrypted applications such as HTTP, SMTP, IMAP and POP3 over SSL are identified as junos:HTTPS, junos:SMTPS, junos:IMAPS, and junos:POP3S in Junos OS predefined applications and application sets.
For example: If you configure a security policy to allow or deny HTTPS traffic, you must specify application matching criteria as junos:HTTPS.
In previous Junos OS Releases, both HTTP and encrypted HTTP (HTTPS) applications can be configured using a same application matching criteria as junos:HTTP.
See Also
Example: Configuring a Custom Application Group for Junos OS Application Identification for Simplified Management
This example shows how to configure custom application groups for Junos OS application identification for consistent reuse when defining policies.
Requirements
Before you begin, install an entire signature database from an IDP or an application identification security package. See Downloading and Installing the Junos OS Application Signature Package Manually or Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.
Overview
In this example, you define applications for an application group, delete an application from an application group, and include an application group within another application group.
In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies.
You cannot modify the applications defined in a predefined
application group. However, you can copy a predefined application
group using the operational command request services application-identification
group group-name copy to create a custom
application group and modify the list of applications. For more information,
see request services application-identification
group.
Configuration
- Configuring Junos OS Application Identification User-Defined Application Groups
- Deleting an Application from a User-Defined Application Group
- Creating Child Application Groups for an Application Group
Configuring Junos OS Application Identification User-Defined Application Groups
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services application-identification application-group my_web set services application-identification application-group my_web applications junos:HTTP set services application-identification application-group my_web applications junos:FTP set services application-identification application-group my_web applications junos:AMAZON set services application-identification application-group my_web applications junos:GOPHER set services application-identification application-group my_peer set services application-identification application-group my_peer applications junos:BITTORRENT set services application-identification application-group my_peer applications junos:BITTORRENT-APPLICATION set services application-identification application-group my_peer applications junos:BITTORRENT-WEB-CLIENT
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a custom application group for application identification:
Set the name of your custom application group.
[edit services application-identification] user@host# set application-group my_web
Add the list of applications that you want to include in your custom application group.
[edit services application-identification] user@host# set application-group my_web applications junos:HTTP user@host# set application-group my_web applications junos:FTP user@host# set application-group my_web applications junos:GOPHER user@host# set application-group my_web applications junos:AMAZON
Set the name of a second custom application group.
[edit services application-identification] user@host# set application-group my_peer
Add the list of applications that you want to include in the group.
[edit services application-identification] user@host# set application-group my_peer applications junos:BITTORRENT user@host# set application-group my_peer applications junos:BITTORRENT-APPLICATION user@host# set application-group my_peer applications junos:BITTORRENT-WEB-CLIENT
Results
From configuration mode, confirm your configuration
by entering the show services application-identification group command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@host#show services application-identification application-group my_webapplications { junos:HTTP; junos:FTP; junos:GOPHER; junos:AMAZON } user@host#show services application-identification application-group my_peerapplications { junos:BITTORRENT; junos:BITTORRENT-APPLICATION; junos:BITTORRENT-WEB-CLIENT; }
If you are done configuring the device, enter commit from configuration mode.
Deleting an Application from a User-Defined Application Group
CLI Quick Configuration
To quickly configure this section of the example,
copy the following command, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
[edit] delete services application-identification application-group my_web applications junos:AMAZON
Step-by-Step Procedure
To delete an application from a custom application group:
Delete an application from a custom application group.
[edit services application-identification] user@host# delete application-group my_web applications junos:AMAZON
Results
From configuration mode, confirm your configuration
by entering the show services application-identification application
group detail command. If the output does not display the intended
configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show services application-identification group detail
application group my_web {
junos:HTTP;
junos:FTP;
junos:GOPHER;
}
If you are done configuring the device, enter commit from configuration mode.
Creating Child Application Groups for an Application Group
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services application-identification application-group p2p set services application-identification application-group p2p application-groups my_web set services application-identification application-group p2p application-groups my_peer
Step-by-Step Procedure
To configure child application groups for a custom application group:
Set the name of the custom application group in which you are configuring the child application groups.
[edit services application-identification] user@host# set application-group p2p
Add the child application groups.
[edit services application-identification] user@host# set application-group p2p application-groups my_web uer@host# set application-group p2p application-groups my_peer
Results
From configuration mode, confirm your configuration
by entering the show services application-identification application-group application-group-name command. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show services application-identification application-group p2p
applications-groups {
my_web;
my_peer;
}
If you are done configuring the device, enter commit from configuration mode.
Enabling or Disabling Application Groups in Junos OS Application Identification
All application groups are enabled by default. Predefined application groups are enabled at installation.
For predefined application groups, you can disable and reenable a group using the
request services application-identification groupcommand. You cannot delete a predefined signature or signature group.To disable a predefined application group:
user@host> request services application-identification group disable predefined-application-group-name
Note:Make sure to commit the configuration changes or roll back the configuration when you are attempting to enable a disabled application or an application group. Uncommitted changes might result in configuration failure.
To reenable a disabled predefined application group:
user@host> request services application-identification group enable predefined-application-group-name