ON THIS PAGE
Installing and Verifying Licenses for an Application Signature Package
Downloading and Installing the Junos OS Application Signature Package Manually
Downloading Junos OS Application Signature Package from A Proxy Server
Example: Scheduling the Application Signature Package Updates
Scheduling the Application Signature Package Updates As Part of the IDP Security Package
Example: Downloading and Installing the Application Identification Package in Chassis Cluster Mode
Verifying the Junos OS Application Identification Extracted Application Package
Uninstalling the Junos OS Application Identification Application Package
Application Signatures for Application Identification Enhancements
Predefined Application Signatures for Application Identification
Predefined application signature package is a dynamically loadable module that provides application classification functionality and associated protocol attributes. It is hosted on an external server and can be downloaded as a package and installed on the device. For more information, see the following topics:
Understanding the Junos OS Application Package Installation
Juniper Networks regularly updates the predefined application signature package database and makes it available to subscribers on the Juniper Networks website. This package includes signature definitions of known application objects that can be used to identify applications for tracking, firewall policies, quality-of-service prioritization, and Intrusion Detection and Prevention (IDP). The database contains application objects such as FTP, DNS, Facebook, Kazaa, and many instant messenger programs.
You need to download and install the application signature package before configuring application services. The application signature package is included in the IDP installation directly and does not need to be downloaded separately.
If you have IDP enabled and plan to use application identification, you can continue to run the IDP signature database download. To download the IDP signature database, run the following command:
request security idp security-package download. The application package download can be performed manually or automatically. See Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.Note:If you have an IDP-enabled device and plan to use application identification, we recommend that you download only the IDP signature database. This will avoid having two versions of the application database, which could become out of sync.
If you do not have IDP enabled and plan to use application identification, you can run the following commands:
request services application-identification downloadandrequest services application-identification install. These commands will download the application signature database and install it on the device.You can perform the download manually or automatically. When you download the extracted package manually, you can change the download URL.
After downloading and installing the application signature package, use CLI commands to download and install database updates, and view summary and detailed application information.
See Downloading and Installing the Junos OS Application Signature Package Manually or Example: Scheduling the Application Signature Package Updates.
Note:The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content but you cannot update the data.
Note:Starting from Junos OS Release 15.1X49-D50 and Junos OS Release 17.3, when you upgrade or downgrade an application signature package, an error message is displayed if there is any mismatch of application IDs (unique ID number of an application signature) between proto bundles and these applications are configured in AppFW and AppQoS rules.
Example:
Please resolve following references and try it again [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:CCPROXY]
As a workaround, disable the AppFW and AppQoS rules before upgrading or downgrading an application signature package. You can reenable AppFW and AppQoS rules once the upgrade or downgrade procedure is complete.
Note:On all security devices, J-Web pages for AppSecure Services are preliminary. We recommend using the CLI for configuration of AppSecure features.
This feature requires a license. To understand more about Junos OS application signature package, Please refer to the Juniper Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.
Upgrading to Next-Generation Application Identification
Starting from Junos OS Release 12.1X47-D10, next-generation application identification is supported. You must install Junos OS Release 12.1X47-D10 to migrate from existing, or legacy, application identification to next-generation application identification.
Security devices installed with Junos OS builds with legacy application identification include legacy application identification security packages. When you upgrade these devices with Junos OS Release 12.1X47-D10, the next-generation application identification security package is installed along with the default protocol bundle. The device is automatically upgraded to next-generation application identification.
The next-generation application identification security package introduces incremental updates to the legacy application identification package. You are not required to remove or uninstall any existing applications.
Applications supported in previous releases (Junos OS Release 12.1X46 or prior) might have new aliases or alternative names in the new version. So existing configurations using such application work in Junos OS Release 12.1X47; however, related logs and other information will use the new name. You can use the
show services application-identification application detail new-application-namecommand to get the details of the applications.When you upgrade Junos OS, you can include the
validateorno-validateoptions with therequest system software addcommand. Because the existing features, which are not part of next-generation application identification, are deprecated, incompatibility issues are not seen.Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as normal applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored with warning messages.
See Also
Installing and Verifying Licenses for an Application Signature Package
The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content.
Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. These instructions assume that you already have the license. If you did not order the license during the purchase of the device, contact your account team or Juniper customer care for assistance. For more information, refer to the Knowledge Base article KB9731 at https://kb.juniper.net/InfoCenter/index?page=home.
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX1500 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX300, SRX320, SRX340, and SRX345 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Starting from 15.1X49-D65 and Junos OS Release 17.3R1, on SRX4100, and SRX4200 devices, AppSecure is part of Junos Software Enhanced (JSE) license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Junos Software Base (JSB) package does not include application signatures. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.
You can install the license on the SRX Series Firewall using either the automatic method or manual method as follows:
Install your license automatically on the device.
To install or update your license automatically, your device must be connected to the Internet .
user@host> request system license update
Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.
Install the licenses manually on the device.
user@host> request system license add terminal
[Type ^D at a new line to end input, enter blank line between each license key]
Paste the license key and press Enter to continue.
Verify the license is installed on your device.
Use the
show system license commandcommand to view license usage, as shown in the following example:License usage: Licenses Licenses Licenses Expiry Feature name used installed needed logical-system 4 1 3 permanent License identifier: JUNOSXXXXXX License version: 2 Valid for device: AA4XXXX005 Features: appid-sig - APPID Signature date-based, 2014-02-17 08:00:00 GMT-8 - 2015-02-11 08:00:00 GMT-8The output sample is truncated to display only license usage details.
See Also
Downloading and Installing the Junos OS Application Signature Package Manually
This example shows how to download the application signature package, create a policy, and identify it as the active policy.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
This example uses the following hardware and software components:
An SRX Series device
Junos OS Release 12.1X47-D10
Overview
Juniper Networks regularly updates the predefined application signature package database and makes it available on the Juniper Networks website. This package includes application objects that can be used in Intrusion Detection and Prevention (IDP), application firewall policy, and AppTrack to match traffic.
Configuration
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Downloading and Installing Application Identification
Step-by-Step Procedure
Download the application package.
user@host> request services application-identification download
Please use command "request services application-identification download status" to check status
Download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
You can also download a specific version of the application package or download the application package from the specific location by using the following options:
To download a specific version of the application package:
user@host>request services application-identification download version version-number
To change the download URL for the application package from configuration mode:
[edit] user@host# set services application-identification download url URL or File Path
Note:If you change the download URL and you want to keep that change, make sure you commit the configuration.
Check the download status.
user@host>request services application-identification download status
Application package 2345 is downloaded successfully
Note:You can also use the system log to view the result of the download. Starting in Junos OS Release 20.4R1, system log messages are updated to display the application signature package download and installation results.
Install the application package.
user@host>request services application-identification install
Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
The application package is installed in the application signature database on the device.
Check the installation status of the application package.
The command output displays information about the downloaded and installed versions of the application package and protocol bundle.
To view the installation status:
user@host>request services application-identification install status
Install application package 2345 succeed
To view the protocol bundle status:
user@host>request services application-identification proto-bundle-status
Protocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is loaded and activated.
Note:It is possible that an application signature was removed from the newer version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.
Verification
Confirm that the configuration is working properly.
Verifying the Application Identification Status
Purpose
Verify that the application identification configuration is working properly.
Action
From operational mode, enter the show services
application-identification status command.
pic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
Meaning
The Status: Enabled field shows that application
identification is enabled on the device.
Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package
You can download and install application signatures through intrusion detection and prevention (IDP) security packages.
This example shows how to enhance security by downloading and installing the IDP signatures and application signature package. In this case, both IDP signature pack and application signature pack are downloaded with a single command.
Requirements
Before you begin:
Ensure that your SRX Series Firewall has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
This example uses the following hardware and software components:
An SRX Series Firewall
Junos OS Release 12.1X47-D10
Overview
In this example, you download and install the signature database from the Juniper Networks website.
Configuration
Downloading and Installing the Signature Database
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Step-by-Step Procedure
To download and install application signatures:
Download the signature database.
[edit]user@host# run request security idp security-package downloadWill be processed in async mode. Check the status using the status checking CLI
Note:Downloading the database might take some time depending on the database size and the speed of your Internet connection.
Check the security package download status.
[edit]user@host# run request security idp security-package download statusDone;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:2230(Mon Feb 4 19:40:13 2013 GMT-8, Detector=12.6.160121210)
Install the attack database.
[edit]user@host# run request security idp security-package installWill be processed in async mode. Check the status using the status checking CLI
Note:Installing the attack database might take some time depending on the security database size.
Check the attack database install status. The command output displays information about the downloaded and installed versions of the attack database.
[edit]user@host# run request security idp security-package install statusDone;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb 4 19:40:13 2013 GMT-8,Detector=12.6.160121210] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
Confirm your IDP security package version.
[edit]user@host# run show security idp security-package-versionAttack database version:2230(Mon Feb 4 19:40:13 2013 GMT-8) Detector version :12.6.160121210 Policy template version :2230
Confirm your application identification package version.
[edit]user@host# run show services application-identification versionApplication package version: 1884
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify the services application identification version.
Action
From operational mode, enter the show services
application-identification version command.
user@host> show services application-identification version
Application package version: 1884
Meaning
The sample output shows that the services application identification version is 1884.
Downloading Junos OS Application Signature Package from A Proxy Server
This example shows how to create a proxy profile and use it for downloading the application signature package from a proxy server.
Configuration
Step-by-Step Procedure
Create a proxy profile and apply it for downloading the application package through the proxy server.
Create a proxy profile for protocol HTTP.
user@host#set services proxy profile Profile-1 protocol httpSpecify the IP address of the proxy server.
user@host#set services proxy profile Profile-1 protocol http host 5.0.0.1Specify the port number used by the proxy server.
user@host#set services proxy profile Profile-1 protocol http port 3128Download the application package from the proxy host.
user@host#set services application-identification download proxy-profile Profile-1
Step-by-Step Procedure
You can disable the proxy server for downloading application signature package when not required.
Disable the proxy server for application signature download.
user@host#delete services application-identification download proxy-profile p1
Requirements
This example uses the following hardware and software components:
Valid application identification feature license installed on an SRX Series Firewall.
SRX Series Firewall with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.
Overview
You must download and install the application signature package that is hosted on an external server on the SRX Series Firewall. Starting from Junos OS Release 18.3R1, you can download the application signature package using a proxy server.
To enable downloading signature package from the proxy server:
Configure a profile with host and port details of the proxy server using the
set services proxy profilecommand.Use the
set services application-identification download proxy-profile profile-namecommand to connect to the proxy server and download the application signature package.
When you download the signature package, the request is routed through the proxy host to the actual server hosting the signature package. The proxy host relays the response back from the actual host. The download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
Support for the proxy profile configuration is available for only HTTP connections.
In this example, you create a proxy profile, and refer the profile when you download the application signature package from the external host. Table 1 provides the details of the parameters used in this example.
Parameter |
Name |
|---|---|
Profile Name |
Profile-1 |
IP address of the proxy server |
5.0.0.1 |
Port number of the proxy server |
3128 |
Verification
- Verifying Application Signature Download Through the Proxy Server
- Verifying Application Signature Download Status
Verifying Application Signature Download Through the Proxy Server
Purpose
Display the details for the application signature package download through a proxy server.
Action
From operational mode, enter the show services
application-identification status command.
Application Identification Status Enabled Sessions under app detection 0 Max TCP session packet memory 0 Force packet plugin Disabled Force stream plugin Disabled DPI Performance mode: Enabled Statistics collection interval 1440 (in minutes) Application System Cache Status Enabled Cache lookup security-services Enabled Cache lookup miscellaneous-services Enabled Max Number of entries in cache 131072 Cache timeout 3600 (in seconds) Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Disabled Proxy Details Proxy Profile Profile-1 Proxy Address http://5.0.0.1:3128 Slot 1: Application package version 3058 Status Active PB Version 1.340.0-57.005 (build date Apr 19 2018) Engine version 4.20.0-91 (build date Feb 27 2018) Sessions 0
Meaning
In the command output, you can find the proxy profile
details in Proxy Profile and Proxy Address fields.
Verifying Application Signature Download Status
Purpose
Check the application package download status.
Action
From operational mode, enter the request services
application-identification download status command.
user@host> request services application-identification download statusApplication package 3058 is downloaded successfully
Meaning
The command displays the application signature package download status.
Example: Scheduling the Application Signature Package Updates
This example shows how to set up automatic updates of the predefined application signature package.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
Overview
In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Procedure
GUI Quick Configuration
To set up the automatic download and periodic update with the J-Web interface:
Step-by-Step Procedure
Enter
Configure>Security>AppSecure Settingsto display the Applications Signature page.Click
Global Settings.Click the
Download Schedulertab, and modify the following fields:URL: https://signatures.juniper.net/cgi-bin/index.cgi
Enable Schedule Update: Select the check box.
Interval: 48
Click
Reset Settingto clear the existing start time, enter the new start time in YYYY-MM-DD.hh:mm format, and clickOK.Start Time: 2019-06-30.10:00:00
Click
Commit Options>Committo commit your changes.Click
Check Statusto monitor the progress of an active download or update, or to check the outcome of the latest update.
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:
[edit] user@host# set services application-identification download url https://signatures.juniper.net/cgi-bin/index.cgi
Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 10 am on December 10:
[edit] user@host# set services application-identification download automatic interval 48 start-time 2019-06-30.10:00:00
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify that the application signature package
is being updated properly, enter the show services application-identification
version command. Review the version number and details for the
latest update.
Scheduling the Application Signature Package Updates As Part of the IDP Security Package
The configuration instructions in this example describe how to setup automatic updates of application identification signature package (part of IDP security package) at a specified date and time.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
Overview
In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Procedure
GUI Quick Configuration
To set up the automatic download and periodic update with the J-Web interface:
Step-by-Step Procedure
Enter
Configure>Security>IDP>Signature Updatesto display the Security IDP Signature Configuration page.Click
Download Settingsand modify the URL: https://signatures.juniper.net/cgi-bin/index.cgiClick the
Auto Download Settingstab, and modify the following fields:Interval: 48
Start Time: 2013-12-10.23:59:55
Enable Schedule Update: Select the check box.
Click
Reset Settingto clear the existing fields, enter the new values. ClickOK.Click
Commit Options>Committo commit your changes.Click
Check Statusto monitor the progress of an active download or update, or to check the outcome of the latest update.
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:
[edit] user@host# set security idp security-package url https://signatures.juniper.net/cgi-bin/index.cgi
Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 11:55 pm on December 10, 2013:
[edit] user@host# set security idp security-package automatic interval 48 start-time 2013-12-10.23:55:55
Enable an automatic download and update of the security package.
[edit] user@host# set security idp security-package automatic enable
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify services application identification version
Action
From operational mode, enter the show services
application-identification version command.
user@host> show services application-identification version
Application package version: 1884
Meaning
The sample output shows that, the services application identification version is 1884.
Example: Downloading and Installing the Application Identification Package in Chassis Cluster Mode
This example shows how to download and install the application signature package database to a device operating in chassis cluster mode.
Downloading and Installing the Application Identification Package
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.
To download and install an application package:
Download the application package on the primary node.
{primary:node0}[edit]user@host>request services application-identification downloadPlease use command "request services application-identification download status" to check status
Check the application package download status.
{primary:node0}[edit]user@host>request services application-identification download statusOn a successful download, the following message is displayed
Application package 2345 is downloaded successfully
The application package is installed in the application signature database on the primary node, and application identification files are synchronized on the primary and secondary nodes.
Update the application package using
installcommand.{primary:node0}[edit]user@host>request services application-identification installnode0: -------------------------------------------------------------------------- Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status node1: -------------------------------------------------------------------------- Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
Check the application package update status. The command output displays information about the downloaded and installed versions of the application package.
{primary:node0}[edit]user@host>request services application-identification install statusnode0: -------------------------------------------------------------------------- Install application package 2345 succeed node1: -------------------------------------------------------------------------- Install application package 2345 succeed
Note:It is possible that an application signature is removed from the new version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.
Note:While downloading the application signature package on the primary node, sometimes, due to unexpected failover, the primary node might not able to download the application signature package completely. As a workaround, you must delete the /var/db/appid/sec-download/.apppack_state and restart the device.
Step-by-Step Procedure
To uninstall an application package:
Uninstall the application package using
uninstallcommand.{primary:node0}[edit]user@host>request services application-identification uninstallnode0: -------------------------------------------------------------------------- Please use command "request services application-identification uninstall status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status node1: -------------------------------------------------------------------------- Please use command "request services application-identification uninstall status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
Check the uninstall status of the application package.
{primary:node0}[edit]user@host>request services application-identification uninstall statusnode0: -------------------------------------------------------------------------- Uninstall application package 2345 succeed node1: -------------------------------------------------------------------------- Uninstall application package 2345 succeed
Check the uninstall status of protocol bundle:
user@host>request services application-identification proto-bundle-status
Protocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is unloaded and deactivated
Requirements
Before you begin:
Set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed application identification feature license.
Overview
If you use application identification, you can download the predefined application signature package database. Juniper Networks regularly updates the database and makes it available on the Juniper Networks website. This package includes application objects that can be used to match traffic in IDP, application firewall policies, and application tracking. For more details, see Understanding the Junos OS Application Package Installation.
When you download the application identification security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node.
Verifying the Junos OS Application Identification Extracted Application Package
Purpose
After successful download and installation of the application package, use the following commands to view the predefined application signature package content.
Action
View the current version of the application package:
show services application-identification version
Application package version: 1608
View the current status of the application package:
show services application-identification status
pic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
See Also
Uninstalling the Junos OS Application Identification Application Package
You can uninstall the predefined application package. The uninstall operation will fail if there are any active security policies referenced in the predefined application signatures in the Junos OS configuration
To uninstall application package:
The application package and protocol bundle are uninstalled on the device. To reinstall application identification, you need to download application package and reinstall it again.
See Also
Application Signature Package Rollback
Starting in Junos OS Release 20.3R1, you can rollback the current version of application signature pack to the previous version by one of the following methods:
Automatic Rollback
Manual Rollback
Automatic Rollback
In case of application signature package installation failure, the system automatically rolls back to the previous version of the application signature package that is currently installed on your security device.
When you download and install the application signature package on a device operating in chassis cluster mode, if the installation fails on a node, the system rolls back to the previous version of the application signature. The device displays a minor alarm on the same node where installation fails and rollback succeeds.
Example:
user@host> show system alarms node0: -------------------------------------------------------------------------- 2 alarms currently active Alarm time Class Description 2020-07-31 14:51:52 IST Minor APPIDD auto-rollback to previous version on install failure, sigpack version on other node may differ 2020-07-31 13:23:26 IST Minor Rescue configuration is not set node1: -------------------------------------------------------------------------- 1 alarms currently active Alarm time Class Description 2020-07-31 13:23:23 IST Minor Rescue configuration is not set
Check application signature package rollback status when installation failed and the rollback completes successfully.
user@host> request services application-identification rollback status
Application package rollback to version 3297 successManual Rollback
You can manually rollback the application signature package to the previous installed version using the following steps:
Rollback the application signature package to the previous version.
user@host>request services application-identification rollback Please use command "request services application-identification rollback status" to check rollback statusCheck the rollback status.
user@host>request services application-identification rollback status Application package rollback to version 3265 success.
Note the following for manual rollback of application signature package:
-
Once you rollback application signature package version manually from version Y to version X, the scheduled auto-update of application signature package is skipped until a new version Z, which is higher than the version Y, is available.
-
You can download and install application signatures through intrusion detection and prevention (IDP) security packages. In this case, if AppID installation fails during the IDP install, AppID rolls back to the previous version and IDP installation continues with the requested version. In such cases, IDP and AppID might have different versions.
-
Application signature package installation does not proceed if there is any corruption, deletion, or modification of downloaded signature package files. In such cases, the following message is displayed:
user@host>request services application-identification install error: Checksum validation failed for downloaded files. -
When your security device does not include any previous version application signature package and you attempt to rollback application signature package, the device displays the following error message:
user@host>request services application-identification install No application package available to rollback.
Grouping Newly Added Application Signatures
Starting in Junos OS Release 21.1R1, we’ve enhanced application signature package by grouping all newly added application signatures under junos:all-new-apps group. When you download the application signature package on your security device, the entire predefined application group is downloaded and available for you to configure in security policy as shown in the below example:
user@host# set security policies from-zone untrust to-zone trust policy 1 match dynamic-application junos:all-new-apps
We’ve also introduced a list of application tags in the application signature package. You can group similar applications based on those predefined tags that are e based on application attributes. By doing so, you can consistently reuse the application groups when you define security policies.
user@host# set services application-identification application-group application-group-name tag-group tag-group-name applications-tags [web remote_access]
Example
user@host# set services application-identification application-group GROUP-1 tag-group TAG-1 application-tags [web remote_access]
user@host# set services application-identification application-group GROUP-1 tag-group TAG-2 application-tags [social_networking]
In the above example, you configure tag-based application group with tags remote-access and web and another tag group with social_networking. All the applications which are having tags as either web or remote-access and social_networking will be added to the application group.
Grouping of similar applications based on tags help you to consistently reuse the application groups when defining security policies.
Migration of New Applications to Normal Applications:
The junos:all-new-apps group contains a set of all new applications in the installed application signature pack on your security device compared to previously installed signature pack. If you decide to install a newer version of the application signature package, that version will contain a new set of applications in the junos:all-new-apps group.
You can chose to migrate the new applications to normal applications in your existing application signature package. This migration will help you to consistently maintain rules in security policy which are created specific to the new applications whenever you upgrade to newer application signature versions in future.
You can use the following new commands to move the applications tagged as new applications to normal applications:
-
To migrate only specified new applications as normal application, use the following command:
request services application-identification new-to-production applications-list [application-1 application-2]
-
To migrate all new applications as normal applications, use the following command:
request services application-identification new-to-production all
After you run these commands, application will no longer be tagged as new and
will not be part of the junos:all-new-apps group.
Application Signatures Package Enhancements
Starting in Junos OS Release 21.1R1, we've introduced the following enhancements to the application signature package:
- Support for FTP data context propagation
- Skipping of deep packet inspection (DPI) for the sessions offloaded by advanced policy-based routing (APBR) on application system cache (ASC) hit. (When only APBR service is enabled.)
- Forceful installation of the application signature pack over the same version of signature pack. See request services application identification install ignore duplicate version check
- Display of the application signature pack release date in the CLI command output. See show services application-identification version
- Display of the list of deprecated application signatures available in the installed signature pack in the CLI command output. See show services application identification application obsolete applications
When you upgrade to Junos OS Release 21.1 and later from Junos OS Release
20.4 and earlier versions, we recommend you update the application
identification signature database by using the request services
application-identifications download and request
services application-identification install commands.
Application Signatures for Application Identification Enhancements
Starting in Junos OS Release 24.2R1, we've enhanced application signature package installation:
- Application Signature Package Installation Failure
- Auto Rollback Enhancement
- Application Signature Package Installation on a Chassis Cluster Setup
Application Signature Package Installation Failure
During application signature package installation, if an error occurs, or the process unexpectedly crashes, the installation automatically stops and reverts to the previously installed version.
The system displays the following error messages when you try to check download status of the faulty application signature package:
- With specified the application signature package
version:
user@host> request services application-identification download status Requested application package 3501 failed data plane validation. Please download another version
- With out specified application signature package
version:
user@host> request services application-identification download status Downloading application package (latest) failed with error (Requested application package 3657 failed data plane validation. Please download another version)
The system displays following messages when you check application signature installation status:
-
When application package installation is completed and being validated for any defects:
user@host> request services application-identification install status Data plane validation of application package version (3698) is in progress ...
-
When trying to install application signature package which is marked as faulty:
user@host> request services application-identification install status Install Application package 3501 and Protocol bundle failed (Requested application package 3501 failed data plane validation. Please install another version)
-
When the installed application signature package is detected as faulty:
user@host> request services application-identification install status Install Application package 3656 and Protocol bundle failed ( Install Application package (3656) failed in data plane validation, auto rollback triggered)
You can see the details of the failed version using the following command:
user@host> show services application-identification version detail Application package version: 3654 Release date: Thu Nov 23 14:07:48 2023 UTC Dataplane validation failure version details: Application package version 3620 PB Version 1.550.2-43 (build date Apr 5 2023) Engine version 5.7.1-47 (build date Mar 30 2023)
For scheduled the automatic update of application signature package: While installation is in-progress, and if the installation package has any issues, the system rolls back the application signature package to the previous version. During the next auto update, the system does not continue with the problematic signature package for download and installation.
Auto Rollback Enhancement
The auto rollback feature now enables the system to revert to a previously working version of the application signature package. Additionally, it retains the previously designated rollback version in the event of any issues during application signature package installation
For example, if your device currently has application signature package version Y, and you’ve set the rollback version as X, here’s what happens during an installation attempt:
- You try to install the new version Z.
- If any issues arise during installation or if version Z fails to install, the system automatically reverts back to the current version Y.
- The previously designated rollback version X remains unchanged.
In this way, the system ensures a smooth transition by reverting to a known working version if needed.
Application Signature Package Installation on a Chassis Cluster Setup
When using a chassis cluster setup, the system first installs the application signature package on the primary node and checks for any issues or problems.
Application signature package installation starts immediately on the primary node. During installation, the secondary node waits for the primary node to complete the validation of the installation package. If the validation is successful, then the system proceeds to install the same package on the secondary node, otherwise, it skips the installation.
You can check the installation status using the following command:
user@host> request services application-identification install status node0: -------------------------------------------------------------------------- Checking compatibility of application package version 3577 ... node1: -------------------------------------------------------------------------- Waiting for primary node to finish installation and validation of the application package ...
If the installation fails on the primary node, then rollback happens only on the primary node. Similarly if the installation fails on the secondary node, then rollback is triggered on secondary node only.
When the installation fails, system displays following messages:
Primary Node
user@host> request services application-identification install status Install Application package 3450 and Protocol bundle failed ( Install Application package (3450) failed in data plane validation, auto rollback triggered)
Secondary Node
user@host> request services application-identification install status Application package(3420) installation was skipped due to failure in the master RE installation
When a node changes from primary state to the secondary state while installation is in-progress on the primary node, then the system displays the following message:
Primary Node
user@host> request services application-identification install status
Install Application package 3440 and Protocol bundle failed ( Install Application package (3440) failed due to changes in the master ship of the cluster)Secondary Node
user@host> request services application-identification install status
Application package (3320) installation was skipped due to changes in the master ship of the clusterIf the primary system can not update the secondary node within time (approximately 35 minutes) due to unexpected issues, the installation process on the secondary system will be canceled.
user@host> request services application-identification install status Application package(3600) installation was skipped due to master RE did not respond within the timeout
Once the primary node completes the installation and validation, the system initiates the installation on the secondary node. In case change in the primary and secondary roles due to a failover, then the previous-secondary node (now primary) continues to install the signature package.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.