ON THIS PAGE
Installing and Verifying Licenses for an Application Signature Package
Downloading and Installing the Junos OS Application Signature Package Manually
Downloading Junos OS Application Signature Package from A Proxy Server
Example: Scheduling the Application Signature Package Updates
Scheduling the Application Signature Package Updates As Part of the IDP Security Package
Example: Downloading and Installing the Application Identification Package in Chassis Cluster Mode
Verifying the Junos OS Application Identification Extracted Application Package
Uninstalling the Junos OS Application Identification Application Package
Predefined Application Signatures for Application Identification
A predefined application signature package is a dynamically loadable module that provides application classification functionality and associated protocol attributes. It is hosted on an external server and can be downloaded as a package and installed on the device. For more information, see the following topics:
Understanding the Junos OS Application Package Installation
Juniper Networks regularly updates the predefined application signature package database and makes it available to subscribers on the Juniper Networks website. This package includes signature definitions of known application objects that can be used to identify applications for tracking, firewall policies, quality-of-service prioritization, and Intrusion Detection and Prevention (IDP). The database contains application objects such as FTP, DNS, Facebook, Kazaa, and many instant messenger programs.
You need to download and install the application signature package before configuring application services. The application signature package is included in the IDP installation directly and does not need to be downloaded separately.
If you have IDP enabled and plan to use application identification, you can continue to run the IDP signature database download. To download the IDP signature database, run the following command:
request security idp security-package download
. The application package download can be performed manually or automatically. See Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package.Note:If you have an IDP-enabled device and plan to use application identification, we recommend that you download only the IDP signature database. This will avoid having two versions of the application database, which could become out of sync.
If you do not have IDP enabled and plan to use application identification, you can run the following commands:
request services application-identification download
andrequest services application-identification install
. These commands will download the application signature database and install it on the device.You can perform the download manually or automatically. When you download the extracted package manually, you can change the download URL.
After downloading and installing the application signature package, use CLI commands to download and install database updates, and view summary and detailed application information.
See Downloading and Installing the Junos OS Application Signature Package Manually or Example: Scheduling the Application Signature Package Updates.
Note:The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content but you cannot update the data.
Note:Starting from Junos OS Release 15.1X49-D50 and Junos OS Release 17.3, when you upgrade or downgrade an application signature package, an error message is displayed if there is any mismatch of application IDs (unique ID number of an application signature) between proto bundles and these applications are configured in AppFW and AppQoS rules.
Example:
Please resolve following references and try it again [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:CCPROXY]
As a workaround, disable the AppFW and AppQoS rules before upgrading or downgrading an application signature package. You can reenable AppFW and AppQoS rules once the upgrade or downgrade procedure is complete.
Note:On all security devices, J-Web pages for AppSecure Services are preliminary. We recommend using the CLI for configuration of AppSecure features.
This feature requires a license. To understand more about Junos OS application signature package, Please refer to the Juniper Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.
Upgrading to Next-Generation Application Identification
Starting from Junos OS Release 12.1X47-D10, next-generation application identification is supported. You must install Junos OS Release 12.1X47-D10 to migrate from existing, or legacy, application identification to next-generation application identification.
Security devices installed with Junos OS builds with legacy application identification include legacy application identification security packages. When you upgrade these devices with Junos OS Release 12.1X47-D10, the next-generation application identification security package is installed along with the default protocol bundle. The device is automatically upgraded to next-generation application identification.
The next-generation application identification security package introduces incremental updates to the legacy application identification package. You are not required to remove or uninstall any existing applications.
Applications supported in previous releases (Junos OS Release 12.1X46 or prior) might have new aliases or alternative names in the new version. So existing configurations using such application work in Junos OS Release 12.1X47; however, related logs and other information will use the new name. You can use the
show services application-identification application detail new-application-name
command to get the details of the applications.When you upgrade Junos OS, you can include the
validate
orno-validate
options with therequest system software add
command. Because the existing features, which are not part of next-generation application identification, are deprecated, incompatibility issues are not seen.Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as normal applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored with warning messages.
See Also
Installing and Verifying Licenses for an Application Signature Package
The Junos OS application signature package update is a separately licensed subscription service. You must install the application signature package update license key on your device to download and install the signature database updates provided by Juniper Networks. If your license key expires, you can continue to use the locally stored application signature package content.
Licensing is usually ordered when the device is purchased, and this information is bound to the chassis serial number. These instructions assume that you already have the license. If you did not order the license during the purchase of the device, contact your account team or Juniper customer care for assistance. For more information, refer to the Knowledge Base article KB9731 at https://kb.juniper.net/InfoCenter/index?page=home.
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX1500 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Starting from Junos OS 15.1X49-D30 and Junos OS Release 17.3R1, on SRX300, SRX320, SRX340, and SRX345 devices, AppSecure is part of Junos Software Enhanced (JSE) software license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Starting from 15.1X49-D65 and Junos OS Release 17.3R1, on SRX4100, and SRX4200 devices, AppSecure is part of Junos Software Enhanced (JSE) license package. There is no separate license key for AppSecure is available. You must use JSE software license on your device to download and install the AppID signature database updates, or to use other AppSecure features such as AppFW, AppQoS, and AppTrack.
Junos Software Base (JSB) package does not include application signatures. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.
You can install the license on the SRX Series Firewall using either the automatic method or manual method as follows:
Install your license automatically on the device.
To install or update your license automatically, your device must be connected to the Internet .
user@host> request system license update
Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status.
Install the licenses manually on the device.
user@host> request system license add terminal
[Type ^D at a new line to end input, enter blank line between each license key]
Paste the license key and press Enter to continue.
Verify the license is installed on your device.
Use the
show system license command
command to view license usage, as shown in the following example:License usage: Licenses Licenses Licenses Expiry Feature name used installed needed logical-system 4 1 3 permanent License identifier: JUNOSXXXXXX License version: 2 Valid for device: AA4XXXX005 Features: appid-sig - APPID Signature date-based, 2014-02-17 08:00:00 GMT-8 - 2015-02-11 08:00:00 GMT-8
The output sample is truncated to display only license usage details.
See Also
Downloading and Installing the Junos OS Application Signature Package Manually
This example shows how to download the application signature package, create a policy, and identify it as the active policy.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
This example uses the following hardware and software components:
An SRX Series device
Junos OS Release 12.1X47-D10
Overview
Juniper Networks regularly updates the predefined application signature package database and makes it available on the Juniper Networks website. This package includes application objects that can be used in Intrusion Detection and Prevention (IDP), application firewall policy, and AppTrack to match traffic.
Configuration
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Downloading and Installing Application Identification
Step-by-Step Procedure
Download the application package.
user@host> request services application-identification download
Please use command "request services application-identification download status" to check status
Download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
You can also download a specific version of the application package or download the application package from the specific location by using the following options:
To download a specific version of the application package:
user@host>request services application-identification download version version-number
To change the download URL for the application package from configuration mode:
[edit] user@host# set services application-identification download url URL or File Path
Note:If you change the download URL and you want to keep that change, make sure you commit the configuration.
Check the download status.
user@host>request services application-identification download status
Application package 2345 is downloaded successfully
Note:You can also use the system log to view the result of the download. Starting in Junos OS Release 20.4R1, system log messages are updated to display the application signature package download and installation results.
Install the application package.
user@host>request services application-identification install
Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
The application package is installed in the application signature database on the device.
Check the installation status of the application package.
The command output displays information about the downloaded and installed versions of the application package and protocol bundle.
To view the installation status:
user@host>request services application-identification install status
Install application package 2345 succeed
To view the protocol bundle status:
user@host>request services application-identification proto-bundle-status
Protocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is loaded and activated.
Note:It is possible that an application signature was removed from the newer version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.
Verification
Confirm that the configuration is working properly.
Verifying the Application Identification Status
Purpose
Verify that the application identification configuration is working properly.
Action
From operational mode, enter the show services
application-identification status
command.
pic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
Meaning
The Status: Enabled
field shows that application
identification is enabled on the device.
Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package
You can download and install application signatures through intrusion detection and prevention (IDP) security packages.
This example shows how to enhance security by downloading and installing the IDP signatures and application signature package. In this case, both IDP signature pack and application signature pack are downloaded with a single command.
Requirements
Before you begin:
Ensure that your SRX Series Firewall has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
This example uses the following hardware and software components:
An SRX Series Firewall
Junos OS Release 12.1X47-D10
Overview
In this example, you download and install the signature database from the Juniper Networks website.
Configuration
Downloading and Installing the Signature Database
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Step-by-Step Procedure
To download and install application signatures:
Download the signature database.
[edit]
user@host# run request security idp security-package downloadWill be processed in async mode. Check the status using the status checking CLI
Note:Downloading the database might take some time depending on the database size and the speed of your Internet connection.
Check the security package download status.
[edit]
user@host# run request security idp security-package download statusDone;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:2230(Mon Feb 4 19:40:13 2013 GMT-8, Detector=12.6.160121210)
Install the attack database.
[edit]
user@host# run request security idp security-package installWill be processed in async mode. Check the status using the status checking CLI
Note:Installing the attack database might take some time depending on the security database size.
Check the attack database install status. The command output displays information about the downloaded and installed versions of the attack database.
[edit]
user@host# run request security idp security-package install statusDone;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb 4 19:40:13 2013 GMT-8,Detector=12.6.160121210] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
Confirm your IDP security package version.
[edit]
user@host# run show security idp security-package-version
Attack database version:2230(Mon Feb 4 19:40:13 2013 GMT-8) Detector version :12.6.160121210 Policy template version :2230
Confirm your application identification package version.
[edit]
user@host# run show services application-identification version
Application package version: 1884
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify the services application identification version.
Action
From operational mode, enter the show services
application-identification version
command.
user@host> show services application-identification version
Application package version: 1884
Meaning
The sample output shows that the services application identification version is 1884.
Downloading Junos OS Application Signature Package from A Proxy Server
This example shows how to create a proxy profile and use it for downloading the application signature package from a proxy server.
Configuration
Step-by-Step Procedure
Create a proxy profile and apply it for downloading the application package through the proxy server.
Create a proxy profile for protocol HTTP.
user@host#
set services proxy profile Profile-1 protocol httpSpecify the IP address of the proxy server.
user@host#
set services proxy profile Profile-1 protocol http host 5.0.0.1Specify the port number used by the proxy server.
user@host#
set services proxy profile Profile-1 protocol http port 3128Download the application package from the proxy host.
user@host#
set services application-identification download proxy-profile Profile-1
Step-by-Step Procedure
You can disable the proxy server for downloading application signature package when not required.
Disable the proxy server for application signature download.
user@host#
delete services application-identification download proxy-profile p1
Requirements
This example uses the following hardware and software components:
Valid application identification feature license installed on an SRX Series Firewall.
SRX Series Firewall with Junos OS Release 18.3R1 or later. This configuration example is tested for Junos OS Release 18.3R1.
Overview
You must download and install the application signature package that is hosted on an external server on the SRX Series Firewall. Starting from Junos OS Release 18.3R1, you can download the application signature package using a proxy server.
To enable downloading signature package from the proxy server:
Configure a profile with host and port details of the proxy server using the
set services proxy profile
command.Use the
set services application-identification download proxy-profile profile-name
command to connect to the proxy server and download the application signature package.
When you download the signature package, the request is routed through the proxy host to the actual server hosting the signature package. The proxy host relays the response back from the actual host. The download retrieves the application package from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.
Support for the proxy profile configuration is available for only HTTP connections.
In this example, you create a proxy profile, and refer the profile when you download the application signature package from the external host. Table 1 provides the details of the parameters used in this example.
Parameter |
Name |
---|---|
Profile Name |
Profile-1 |
IP address of the proxy server |
5.0.0.1 |
Port number of the proxy server |
3128 |
Verification
- Verifying Application Signature Download Through the Proxy Server
- Verifying Application Signature Download Status
Verifying Application Signature Download Through the Proxy Server
Purpose
Display the details for the application signature package download through a proxy server.
Action
From operational mode, enter the show services
application-identification status
command.
Application Identification Status Enabled Sessions under app detection 0 Max TCP session packet memory 0 Force packet plugin Disabled Force stream plugin Disabled DPI Performance mode: Enabled Statistics collection interval 1440 (in minutes) Application System Cache Status Enabled Cache lookup security-services Enabled Cache lookup miscellaneous-services Enabled Max Number of entries in cache 131072 Cache timeout 3600 (in seconds) Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Disabled Proxy Details Proxy Profile Profile-1 Proxy Address http://5.0.0.1:3128 Slot 1: Application package version 3058 Status Active PB Version 1.340.0-57.005 (build date Apr 19 2018) Engine version 4.20.0-91 (build date Feb 27 2018) Sessions 0
Meaning
In the command output, you can find the proxy profile
details in Proxy Profile
and Proxy Address
fields.
Verifying Application Signature Download Status
Purpose
Check the application package download status.
Action
From operational mode, enter the request services
application-identification download status
command.
user@host> request services application-identification download status
Application package 3058 is downloaded successfully
Meaning
The command displays the application signature package download status.
Example: Scheduling the Application Signature Package Updates
This example shows how to set up automatic updates of the predefined application signature package.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
Overview
In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Procedure
GUI Quick Configuration
To set up the automatic download and periodic update with the J-Web interface:
Step-by-Step Procedure
Enter
Configure>Security>AppSecure Settings
to display the Applications Signature page.Click
Global Settings
.Click the
Download Scheduler
tab, and modify the following fields:URL: https://signatures.juniper.net/cgi-bin/index.cgi
Enable Schedule Update: Select the check box.
Interval: 48
Click
Reset Setting
to clear the existing start time, enter the new start time in YYYY-MM-DD.hh:mm format, and clickOK
.Start Time: 2019-06-30.10:00:00
Click
Commit Options>Commit
to commit your changes.Click
Check Status
to monitor the progress of an active download or update, or to check the outcome of the latest update.
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:
[edit] user@host# set services application-identification download url https://signatures.juniper.net/cgi-bin/index.cgi
Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 10 am on December 10:
[edit] user@host# set services application-identification download automatic interval 48 start-time 2019-06-30.10:00:00
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify that the application signature package
is being updated properly, enter the show services application-identification
version
command. Review the version number and details for the
latest update.
Scheduling the Application Signature Package Updates As Part of the IDP Security Package
The configuration instructions in this example describe how to setup automatic updates of application identification signature package (part of IDP security package) at a specified date and time.
Requirements
Before you begin:
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed the application identification feature license.
Overview
In this example, you want to download the current version of the application signature package periodically. The download should start at 11:59 PM on December 10. To maintain the most current information, you want to update the package automatically every 2 days from your company’s intranet site.
Configuration
Procedure
GUI Quick Configuration
To set up the automatic download and periodic update with the J-Web interface:
Step-by-Step Procedure
Enter
Configure>Security>IDP>Signature Updates
to display the Security IDP Signature Configuration page.Click
Download Settings
and modify the URL: https://signatures.juniper.net/cgi-bin/index.cgiClick the
Auto Download Settings
tab, and modify the following fields:Interval: 48
Start Time: 2013-12-10.23:59:55
Enable Schedule Update: Select the check box.
Click
Reset Setting
to clear the existing fields, enter the new values. ClickOK
.Click
Commit Options>Commit
to commit your changes.Click
Check Status
to monitor the progress of an active download or update, or to check the outcome of the latest update.
Step-by-Step Procedure
To use the CLI to automatically update the Junos OS application signature package:
Specify the URL for the security package. The security package includes the detector and the latest attack objects and groups. The following statement specifies https://signatures.juniper.net/cgi-bin/index.cgi as the URL for downloading signature database updates:
[edit] user@host# set security idp security-package url https://signatures.juniper.net/cgi-bin/index.cgi
Specify the time and interval for download. The following statement sets the interval as 48 hours and the start time as 11:55 pm on December 10, 2013:
[edit] user@host# set security idp security-package automatic interval 48 start-time 2013-12-10.23:55:55
Enable an automatic download and update of the security package.
[edit] user@host# set security idp security-package automatic enable
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
Confirm that the application signature package is being updated properly.
Verifying application signature package
Purpose
Verify services application identification version
Action
From operational mode, enter the show services
application-identification version
command.
user@host> show services application-identification version
Application package version: 1884
Meaning
The sample output shows that, the services application identification version is 1884.
Example: Downloading and Installing the Application Identification Package in Chassis Cluster Mode
This example shows how to download and install the application signature package database to a device operating in chassis cluster mode.
Downloading and Installing the Application Identification Package
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.
To download and install an application package:
Download the application package on the primary node.
{primary:node0}[edit]
user@host>
request services application-identification downloadPlease use command "request services application-identification download status" to check status
Check the application package download status.
{primary:node0}[edit]
user@host>
request services application-identification download statusOn a successful download, the following message is displayed
Application package 2345 is downloaded successfully
The application package is installed in the application signature database on the primary node, and application identification files are synchronized on the primary and secondary nodes.
Update the application package using
install
command.{primary:node0}[edit]
user@host>
request services application-identification installnode0: -------------------------------------------------------------------------- Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status node1: -------------------------------------------------------------------------- Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
Check the application package update status. The command output displays information about the downloaded and installed versions of the application package.
{primary:node0}[edit]
user@host>
request services application-identification install statusnode0: -------------------------------------------------------------------------- Install application package 2345 succeed node1: -------------------------------------------------------------------------- Install application package 2345 succeed
Note:It is possible that an application signature is removed from the new version of an application signature database. If this signature is used in an existing application firewall policy on your device, the installation of the new database will fail. An installation status message identifies the signature that is no longer valid. To update the database successfully, remove all references to the deleted signature from your existing policies and groups, and rerun the install command.
Note:While downloading the application signature package on the primary node, sometimes, due to unexpected failover, the primary node might not able to download the application signature package completely. As a workaround, you must delete the /var/db/appid/sec-download/.apppack_state and restart the device.
Step-by-Step Procedure
To uninstall an application package:
Uninstall the application package using
uninstall
command.{primary:node0}[edit]
user@host>
request services application-identification uninstallnode0: -------------------------------------------------------------------------- Please use command "request services application-identification uninstall status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status node1: -------------------------------------------------------------------------- Please use command "request services application-identification uninstall status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
Check the uninstall status of the application package.
{primary:node0}[edit]
user@host>
request services application-identification uninstall statusnode0: -------------------------------------------------------------------------- Uninstall application package 2345 succeed node1: -------------------------------------------------------------------------- Uninstall application package 2345 succeed
Check the uninstall status of protocol bundle:
user@host>request services application-identification proto-bundle-status
Protocol Bundle Version (1.30.4-22.005 (build date Jan 17 2014)) and application secpack version (2345) is unloaded and deactivated
Requirements
Before you begin:
Set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .
Ensure that your security device has a connection to the Internet to download security package updates.
Note:DNS must be set up because you need to resolve the name of the update server.
Ensure that you have installed application identification feature license.
Overview
If you use application identification, you can download the predefined application signature package database. Juniper Networks regularly updates the database and makes it available on the Juniper Networks website. This package includes application objects that can be used to match traffic in IDP, application firewall policies, and application tracking. For more details, see Understanding the Junos OS Application Package Installation.
When you download the application identification security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node.
Verifying the Junos OS Application Identification Extracted Application Package
Purpose
After successful download and installation of the application package, use the following commands to view the predefined application signature package content.
Action
View the current version of the application package:
show services application-identification version
Application package version: 1608
View the current status of the application package:
show services application-identification status
pic: 1/0 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.1-20 (build date Jan 25 2014) Max TCP session packet memory 30000 Max C2S bytes 1024 Max S2C bytes 0 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 131072 Cache timeout in seconds 3600 Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Enabled Slot 1: Status Active Version 1.30.4-22.005 (build date Jan 17 2014) Sessions 0 Slot 2 Status Free
See Also
Uninstalling the Junos OS Application Identification Application Package
You can uninstall the predefined application package. The uninstall operation will fail if there are any active security policies referenced in the predefined application signatures in the Junos OS configuration
To uninstall application package:
The application package and protocol bundle are uninstalled on the device. To reinstall application identification, you need to download application package and reinstall it again.
See Also
Application Signature Package Rollback
Starting in Junos OS Release 20.3R1, you can rollback the current version of application signature pack to the previous version by one of the following methods:
-
Automatic Rollback
-
Manual Rollback
Automatic Rollback
In case of application signature package installation failure, the system automatically rolls back to the previous version of the application signature package that is currently installed on your security device.
When you download and install the application signature package on a device operating in chassis cluster mode, if the installation fails on a node, the system rolls back to the previous version of the application signature. The device displays a minor alarm on the same node where installation fails and rollback succeeds.
Example:
user@host> show system alarms node0: -------------------------------------------------------------------------- 2 alarms currently active Alarm time Class Description 2020-07-31 14:51:52 IST Minor APPIDD auto-rollback to previous version on install failure, sigpack version on other node may differ 2020-07-31 13:23:26 IST Minor Rescue configuration is not set node1: -------------------------------------------------------------------------- 1 alarms currently active Alarm time Class Description 2020-07-31 13:23:23 IST Minor Rescue configuration is not set
Check application signature package rollback status when installation failed and the rollback completes successfully.
user@host>
request services application-identification rollback status
Application package rollback to version 3297 success
Manual Rollback
You can manually rollback the application signature package to the previous installed version using the following steps:
Rollback the application signature package to the previous version.
user@host>
request services application-identification rollback Please use command "request services application-identification rollback status" to check rollback statusCheck the rollback status.
user@host>
request services application-identification rollback status Application package rollback to version 3265 success.
Note the following for manual rollback of an application signature package:
-
Once you rollback application signature package version manually from version Y to version X, the scheduled auto-update of an application signature package is skipped until a new version Z, which is higher than the version Y, is available.
-
You can download and install application signatures through intrusion detection and prevention (IDP) security packages. In this case, if AppID installation fails during the IDP install, AppID rolls back to the previous version and IDP installation continues with the requested version. In such cases, IDP and AppID might have different versions.
-
Application signature package installation does not proceed if there is any corruption, deletion, or modification of downloaded signature package files. In such cases, the following message is displayed:
user@host>
request services application-identification install error: Checksum validation failed for downloaded files. -
When your security device does not include any previous version application signature package and you attempt to rollback application signature package, the device displays the following error message:
user@host>
request services application-identification install No application package available to rollback.
Grouping Newly Added Application Signatures
Starting in Junos OS Release 21.1R1, we’ve enhanced the application signature package
by grouping all newly added application signatures under
junos:all-new-apps
group. When you download the application
signature package on your security device, the entire predefined application group
is downloaded and available for you to configure in security policy as shown in the
below example:
user@host# set security policies from-zone untrust to-zone trust policy 1 match dynamic-application junos:all-new-apps
We’ve also introduced a list of application tags in the application signature package. You can group similar applications on those predefined tags that are based on application attributes. By doing so, you can consistently reuse the application groups when you define security policies.
user@host# set services application-identification application-group application-group-name tag-group tag-group-name applications-tags [web remote_access]
Example
user@host# set services application-identification application-group GROUP-1 tag-group TAG-1 application-tags [web remote_access]
user@host# set services application-identification application-group GROUP-1 tag-group TAG-2 application-tags [social_networking]
In the above example, you configure tag-based application group with tags
remote-access
and web
and another tag group
with social_networking
. All the applications which are having tags
as either web
or remote-access
and
social_networking
will be added to the application group.
Grouping of similar applications based on tags help you to consistently reuse the application groups when defining security policies.
Migration of New Applications to Normal Applications:
The junos:all-new-apps group contains a set of all new applications in the installed application signature pack on your security device compared to previously installed signature pack. If you decide to install a newer version of the application signature package, that version will contain a new set of applications in the junos:all-new-apps group.
You can chose to migrate the new applications to normal applications in your existing application signature package. This migration will help you to consistently maintain rules in security policy which are created specific to the new applications whenever you upgrade to newer application signature versions in future.
You can use the following new commands to move the applications tagged as new applications to normal applications:
-
To migrate only specified new applications as normal application, use the following command:
request services application-identification new-to-production applications-list [application-1 application-2]
-
To migrate all new applications as normal applications, use the following command:
request services application-identification new-to-production all
After you run these commands, application will no longer be tagged as new and
will not be part of the junos:all-new-apps
group.
Application Signatures Package Enhancements
Starting in Junos OS Release 21.1R1, we've introduced the following enhancements to the application signature package:
- Support for FTP data context propagation
- Skipping of deep packet inspection (DPI) for the sessions offloaded by advanced policy-based routing (APBR) on application system cache (ASC) hit. (When only APBR service is enabled.)
- Forceful installation of the application signature pack over the same version of signature pack. See request services application identification install ignore duplicate version check
- Display of the application signature pack release date in the CLI command output. See show services application-identification version
- Display of the list of deprecated application signatures available in the installed signature pack in the CLI command output. See show services application identification application obsolete applications
When you upgrade to Junos OS Release 21.1 and later from Junos OS Release
20.4 and earlier versions, we recommend you update the application
identification signature database by using the request services
application-identifications download
and request
services application-identification install
commands.
Application Signatures Package Installation Enhancements
Starting in Junos OS Release 24.2R1, we've enhanced application signature package installation:
- Application Signature Package Installation Failure
- Auto Rollback Enhancement
- Application Signature Package Installation on a Chassis Cluster Setup
Application Signature Package Installation Failure
During application signature package installation, if an error occurs, or the process unexpectedly crashes, the installation automatically stops and reverts to the previously installed version.
The system displays the following error messages when you try to check download status of the faulty application signature package:
- With specified the application signature package
version:
user@host> request services application-identification download status Requested application package 3501 failed data plane validation. Please download another version
- With out specified application signature package
version:
user@host> request services application-identification download status Downloading application package (latest) failed with error (Requested application package 3657 failed data plane validation. Please download another version)
The system displays following messages when you check application signature installation status:
-
When application package installation is completed and being validated for any defects:
user@host> request services application-identification install status Data plane validation of application package version (3698) is in progress ...
-
When trying to install application signature package which is marked as faulty:
user@host> request services application-identification install status Install Application package 3501 and Protocol bundle failed (Requested application package 3501 failed data plane validation. Please install another version)
-
When the installed application signature package is detected as faulty:
user@host> request services application-identification install status Install Application package 3656 and Protocol bundle failed ( Install Application package (3656) failed in data plane validation, auto rollback triggered)
You can see the details of the failed version using the following command:
user@host> show services application-identification version detail Application package version: 3654 Release date: Thu Nov 23 14:07:48 2023 UTC Dataplane validation failure version details: Application package version 3620 PB Version 1.550.2-43 (build date Apr 5 2023) Engine version 5.7.1-47 (build date Mar 30 2023)
For scheduled the automatic update of application signature package: While installation is in-progress, and if the installation package has any issues, the system rolls back the application signature package to the previous version. During the next auto update, the system does not continue with the problematic signature package for download and installation.
Auto Rollback Enhancement
The auto rollback feature now enables the system to revert to a previously working version of the application signature package. Additionally, it retains the previously designated rollback version in the event of any issues during application signature package installation
For example, if your device currently has application signature package version Y, and you’ve set the rollback version as X, here’s what happens during an installation attempt:
- You try to install the new version Z.
- If any issues arise during installation or if version Z fails to install, the system automatically reverts back to the current version Y.
- The previously designated rollback version X remains unchanged.
In this way, the system ensures a smooth transition by reverting to a known working version if needed.
Application Signature Package Installation on a Chassis Cluster Setup
When using a chassis cluster setup, the system first installs the application signature package on the primary node and checks for any issues or problems.
Application signature package installation starts immediately on the primary node. During installation, the secondary node waits for the primary node to complete the validation of the installation package. If the validation is successful, then the system proceeds to install the same package on the secondary node, otherwise, it skips the installation.
You can check the installation status using the following command:
user@host> request services application-identification install status node0: -------------------------------------------------------------------------- Checking compatibility of application package version 3577 ... node1: -------------------------------------------------------------------------- Waiting for primary node to finish installation and validation of the application package ...
If the installation fails on the primary node, then rollback happens only on the primary node. Similarly if the installation fails on the secondary node, then rollback is triggered on secondary node only.
When the installation fails, system displays following messages:
Primary Node
user@host> request services application-identification install status Install Application package 3450 and Protocol bundle failed ( Install Application package (3450) failed in data plane validation, auto rollback triggered)
Secondary Node
user@host> request services application-identification install status Application package(3420) installation was skipped due to failure in the master RE installation
When a node changes from primary state to the secondary state while installation is in-progress on the primary node, then the system displays the following message:
Primary Node
user@host> request services application-identification install status
Install Application package 3440 and Protocol bundle failed ( Install Application package (3440) failed due to changes in the master ship of the cluster)
Secondary Node
user@host> request services application-identification install status
Application package (3320) installation was skipped due to changes in the master ship of the cluster
If the primary system can not update the secondary node within time (approximately 35 minutes) due to unexpected issues, the installation process on the secondary system will be canceled.
user@host> request services application-identification install status Application package(3600) installation was skipped due to master RE did not respond within the timeout
Once the primary node completes the installation and validation, the system initiates the installation on the secondary node. In case change in the primary and secondary roles due to a failover, then the previous-secondary node (now primary) continues to install the signature package.
Application Signatures Package Major and Minor Versions
Starting in Junos OS Release 24.4R1, we've enhanced application signature package installation with following features:
- Installation Status to the Signature Package Server
- Major and Minor Signature Package
- Downloading Minor-Only Signature Package
- Downgrading Application Signature Package Version
- Offline Application Identification (AppID) Update
- Syslog Message for Deprecated Applications
- List Deprecated Application Groups
Installation Status to the Signature Package Server
Application signature engine sends the status to the signature package server for installation success or failure. During application signature package installation, if errors are found in the package, installation stops and reverts to the previous active version and status is sent to the server. If multiple devices report a faulty application signature package, the server analyzes this data, marks the package as invalid, and prevents future downloads.
Marking a signature package as invalid is available only for the major signature package.
The signature package marked as invalid will not be available for future downloads only by CLI. Download and installation by Security Director and offline downloads display error message informing that the requested application package is not available for download.
Major and Minor Signature Package
Starting in Junos OS Release 24.4R1, two types of signature packages are available for the updates:
- Major updates include IDP signatures, IDP detector, and application identification protobundle.
- Minor updates include regular signature updates.
Let’s understand the difference in major and minor updates with an example:
- The signature package version with protocol bundle released has version 3585. This is a major update. All minor signature packages post 3585 contain this updated protocol bundle until we have next major signature package update.
- The next release of package includes IDP detector and has version 3598. This is again a major update. All minor signature packages post 3598 contain this updated detector until we have next major update.
If your firewall is having major signature pack version 3598 and if you attempt to download minor version such as 3588 using manual download method or automatic download, then the download fails with the following error message:
user@host> request services application-identification download status Downloading application package (latest) failed with error (No suitable version available for this device, please re-try the download manually without minor)
Downloading Minor-Only Signature Package
You can download an application signature package that is marked as minor. The default behavior does not check for major or minor version.
To set automatic download of the minor signature package:
[edit] user@host# set services application-identification download automatic minor-only
Specifying minor-only
in the command downloads the minor version
of the signature package.
To download minor signature package:
[edit] user@host> request services application-identification download minor-only
Specifying minor-only
in the command downloads the minor version
of the signature package.
Check the available signature package versions:
user@host> show services application-identification recent-appid-sigpack-versions appid sigpack version: 3642 appid sigpack version: 3615 appid sigpack version: 3604 appid sigpack version: 3533 appid sigpack version: 3470 appid sigpack version: 3429 appid sigpack version: 3405 appid sigpack version: 3390 appid sigpack version: 3372 appid sigpack version: 3351
The command displays all the available versions of the application signature package.
Check the available signature package versions:
user@host> show services application-identification version Application package version: 3666 (Major)
The command displays all the latest version of the major application signature package.
View the version of your signature package:
user@host> show services application-identification status Application Identification Status Enabled Sessions under app detection 0 Max TCP session packet memory 2097152 Force packet plugin Disabled Force stream plugin Disabled Statistics collection interval 1440 (in minutes) Application System Cache Status Enabled Cache lookup security-services Disabled Cache lookup miscellaneous-services Enabled Max Number of entries in cache 131072 Cache timeout 3600 (in seconds) Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Disabled Proxy Details Proxy Profile Not Configured Slot 1: Application package version 3666 (Major) Release date Mon Oct 10 14:55:29 2022 UTC Status Active PB Version 1.550.2-31 (build date Oct 10 2022) Engine version 5.7.0-47 (build date Mar 25 2022) Micro-App Version 1.1.0-0 Sessions 0 Custom-App Infra Version 1.0.0-0 Rollback version details: Application package version 3662 (Major) PB Version 1.550.2-43 Engine version 5.7.1-47 Micro-App Version 1.2.0-1 Custom-App Infra Version 1.0.0-1
The command displays application signature package version installed on your
device in Application package version
field.
Check the version of the signature package from the Juniper Networks security website.
user@host> request services application-identification download check-server Download server URL: https://signatures.juniper.net/cgi-bin/index.cgi Sigpack Version: 3666 (Major) Protobundle version: 1.550.2-43 Build Time: Apr 05 2023 06:28:09Sigpack Version: 3659 (Minor) Protobundle version: 1.550.2-43 Build Time: Apr 05 2023 06:28:09
The command displays the latest version of both major and minor application signature packages, which are available on Juniper Networks security website.
Downgrading Application Signature Package Version
You can downgrade your application signature package version by specifying the signature package version. Use the following steps to downgrade:
Check the available signature package versions using the
show services application-identification recent-appid-sigpack-versions
command.user@host> show services application-identification recent-appid-sigpack-versions appid sigpack version: 3642 appid sigpack version: 3615 appid sigpack version: 3604 appid sigpack version: 3533 appid sigpack version: 3470 appid sigpack version: 3429 appid sigpack version: 3405 appid sigpack version: 3390 appid sigpack version: 3372 appid sigpack version: 3351
Run the command to download the required version:
user@host> request services application-identification download version <old-ver>
Offline Application Identification (AppID) Update
Offline Application Identification (AppID) Update and associated features significantly enhance the manageability and serviceability of network systems, particularly in environments with limited connectivity.
Starting in Junos OS Release 24.4R1, the offline AppID update feature allows you to update the signature package from a local tar file using the following CLI command:
user@host> request services application-identification offline-download package-path <path>
When you enter this command, the system uncompresses the signature package and places the extracted files in the proper locations on the device.
Example:
- Copy or download the offline application package from the URL: https://support.juniper.net/support/downloads/?p=282
- Enter the command to extract signature
package:
user@host> request services application-identification offline-download package-path /var/tmp/282_3722_offline-update.tar.gz Please use command "request services application-identification offline-download status" to check offline download status
- Check the status of offline download of signature
package:
user@host> request services application-identification offline-download status AppID sigpack offline download is in progress...
user@host> request services application-identification offline-download status AppID sigpack offline download : Complete
The system displays the following error message when the package path is not correct:
AppID sigpack offline download : Failed with error (AppID offline download package </var/tmp/...> does not exist)
- Use the
request services application-identification install
command to install the signature package on the device.
The operation concludes with a system log message indicating whether the update was successful or if it encountered any errors, providing immediate feedback for troubleshooting. Example of syslog messages:
- The
APPIDD_APPPACK_OFFLINE_DOWNLOAD_RESULT: AppID sigpack offline download : Complete
confirms a successful update. - The
APPIDD_APPPACK_OFFLINE_DOWNLOAD_RESULT: AppID sigpack offline download : Failed with error (AppID offline download package </var/tmp/...> does not exist)
indicates a failure along with a specific error message
This feature is particularly useful in the environments with limited or no Internet connectivity, such as remote locations or secure facilities.
Syslog Message for Deprecated Applications
You can now manage deprecated applications and application groups. After performing a signature pack update, a system log message lists deprecated applications, helping you identify and manage outdated applications that might impact your security policies.
When handling deprecated applications, the system log message
APPIDD_DEPRECATED_APPLIST: Obsolete apps: app1, app2, app3,
app4...
lists outdated applications, enabling you to take
appropriate actions.
List Deprecated Application Groups
You can list all the deprecated application groups using the following command:
user@host> show services application-identification group obsolete-groups
The command allows you to list deprecated application groups, ensuring these groups do not interfere with device configuration and preventing commit failures due to hidden deprecated groups.
You can use the following system log message to view deprecated application groups:
APPIDD_DEPRECATED_GROUPS: Obsolete groups: group1, group2, …
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.