Application Tracking
Application tracking (AppTrack) is a logging and reporting tool that can be used to share information for application visibility. AppTrack sends log messages through syslog providing application activity update messages. For more information, see the following topics:
Understanding Application Tracking
AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. Juniper Secure Analytics (formally known as STRM) retrieves the data and provides flow-based application visibility.
AppTrack messages are similar to session logs and use syslog
or structured syslog formats. The message also includes an application
field for the session. If AppTrack identifies a custom-defined application
and returns an appropriate name, the custom application name is included
in the log message. (If the application identification process fails
or has not yet completed when an update message is triggered, the
message specifies none in the application field.)
AppTrack supports both IPv4 and IPv6 addressing. Related messages display addresses in the appropriate IPv4 or IPv6 format.
User identity details such as user name and user role have been added to the AppTrack session create, session close, and volume update logs. These fields will contain the user name and role associated with the policy match. The logging of user name and roles is enabled only for security policies that provide UAC enforcement. For security policies without UAC enforcement, the user name and user role fields are displayed as N/A. The user name is displayed as unauthenticated user and user role is displayed as N/A, if the device cannot retrieve information for that session because there is no authentication table entry for that session or because logging of this information is disabled. The user role field in the log contains the list of all the roles performed by the user if match criteria is specific, authenticated user, or any, and the user name field in the log contains the correct user name. The user role field in the log will contain N/A if the match criteria and the user name field in the log contain unauthenticated user or unknown user.
If you enable AppTrack for a zone and specify a session-update-interval time, whenever a packet is received, AppTrack checks whether the
time since the start of the session or since the last update is greater
than the update interval. If so, AppTrack updates the counts and sends
an update message to the host. If a short-lived session starts and
ends within the update interval, AppTrack generates a message only
at session close.
When you want the initial update message to be sent earlier than the specified update interval,
use the first-update-interval. The
first-update-interval lets you enter a shorter interval for the
first update only.
The close message updates the statistics for the last time and provides an explanation for the session closure. The following codes are used:
TCP RST |
RST received from either end. |
TCP FIN |
FIN received from either end. |
Response received |
Response received for a packet request (such as |
ICMP error |
ICMP error received (such as |
Aged out |
Session aged out. |
ALG |
ALG closed the session. |
IDP |
IDP closed the session. |
Parent closed |
Parent session closed. |
CLI |
Session cleared by a CLI statement. |
Policy delete |
Policy marked for deletion. |
Benefits of Application Tracking
Provides visibility into the types of applications traversing through your security device.
Enables you to gain insight into permitted applications and the risk they might pose.
Assists in managing bandwidth, reports active users and applications.
Application Tracking Log Messages Fields
Starting from Junos OS Release
15.1X49-D100, AppTrack session create, session close, and volume update logs include
a new field called destination interface. You can use the destination
interface field to see which egress interface is selected for the
session when a advanced policy-based routing (APBR) is applied to that session and
AppTrack is enabled and configured within any logical system.
Starting from Junos OS Release 15.1X49-D100, a new AppTrack log for route update is added to include APBR profile, rule, and routing instance details. When APBR is applied to a session, the new log is generated and the AppTrack session counter is updated to indicate the number of times a new route update log is generated. The AppTrack session close log is also updated to include APBR profile, rule, and routing instance details.
Starting
from Junos OS Release 17.4R1, AppTrack session create, session close, and volume
update logs include the new fields category and
subcategory. These fields provide general information about the
application attributes. For example, the category field specifies
the technology of the application (web, infrastructure) and
subcategory field specifies the subcategory of the application
(for example, social networking, news, and advertisements).
Because category
and subcategory are not applicable for a custom application, the AppTrack log
messages present the category as custom application and the
subcategory as N/A.
For unknown applications, both category
and subcategories are logged as N/A.
Examples of the log messages in structured syslog format:
APPTRACK_SESSION_CREATE
user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="48873"
destination-address="5.0.0.1" destination-port="80" service-name="junos-http"
application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1"
nat-source-port="48873" nat-destination-address="5.0.0.1"
nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="permit-all" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="32" username="user1"
roles="DEPT1" encrypted="UNKNOWN" destination-interface-name=”ge-0/0/0”
category=”N/A” sub-category=”N/A”]
APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129
reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873"
destination-address="5.0.0.1" destination-port="80" service-name="junos-http"
application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1"
nat-source-port="48873" nat-destination-address="5.0.0.1"
nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="permit-all" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="32" packets-from-client="5"
bytes-from-client="392" packets-from-server="3" bytes-from-server="646"
elapsed-time="3" username="user1" roles="DEPT1" encrypted="No"
routing-instance=“default” destination-interface-name=”st0.0”
category=” Web”
sub-category=”N/A”]
APPTRACK_SESSION_VOL_UPDATE
[user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040"
destination-address="5.0.0.1" destination-port="80" service-name="junos-http"
application="HTTP" nested-application="FACEBOOK-SOCIALRSS"
nat-source-address="4.0.0.1" nat-source-port="33040"
nat-destination-address="5.0.0.1" nat-destination-port="80"
src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6"
policy-name="permit-all" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="28" packets-from-client="371"
bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432"
elapsed-time="60" username="user1" roles="DEPT1" encrypted="No"
destination-interface-name=”st0.0” category=” Web”
sub-category=”Social-Networking”]
APPTRACK_SESSION_ROUTE_UPDATE [user@host.1.1.1.2.129
source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1"
destination-port="80" service-name="junos-http" application="HTTP"
nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1"
nat-source-port="33040" nat-destination-address="5.0.0.1"
nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="permit-all" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="28" username="user1"
roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1”
routing-instance=”instance1” destination-interface-name=”st0.0”
category=”Web”
sub-category=”Social-Networking”]
Starting
in Junos OS Release 18.4R1 and Junos OS Release 18.3R2, in the
APPTRACK_SESSION_ROUTE_UPDATE log, the encrypted field displays the
value as N/A as shown in the following
sample:
APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129
source-address="4.0.0.1" source-port="251" destination-address="5.0.0.1"
destination-port="250" service-name="None" application="HTTP"
nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="251"
nat-destination-address="5.0.0.1" nat-destination-port="250"
src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1"
source-zone-name="trust" destination-zone-name="untrust" session-id-32="866"
username="N/A" roles="N/A" encrypted="N/A"
profile-name="profile1" rule-name="rule1" routing-instance="RI1"
destination-interface-name="ge-0/0/2.0" category="Web" subcategory="N/A"
apbr-policy-name="sla1" webfilter-category="N/A"]
Starting in Junos OS Release 18.4R1, in the APPTRACK_SESSION_CLOSE and APPTRACK_SESSION_CLOSE_LS log includes the multipath rule name as shown in the following sample:
2018-10-25T01:00:18.179-07:00 multihome-spoke RT_FLOW -
APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout"
source-address="19.0.0.2" source-port="34880" destination-address="9.0.0.2"
destination-port="80" service-name="junos-http" application="HTTP"
nested-application="GOOGLE-GEN" nat-source-address="19.0.0.2"
nat-source-port="34880" nat-destination-address="9.0.0.2"
nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="1" source-zone-name="trust"
destination-zone-name="untrust1" session-id-32="9625" packets-from-client="347"
bytes-from-client="18199" packets-from-server="388" bytes-from-server="131928"
elapsed-time="411" username="N/A" roles="N/A" encrypted="No"
profile-name="apbr1" rule-name="rule1" routing-instance="TC1_VPN"
destination-interface-name="gr-0/0/0.4" uplink-incoming-interface-name=""
uplink-tx-bytes="0" uplink-rx-bytes="0"
multipath-rule-name="multi1"]
Starting
from Junos OS Release 18.2R1, AppTrack session close logs include new fields to
record the packet bytes transmitted and received through the uplink interfaces. The
packet bytes transmitted and received through the uplink interfaces are reported by
uplink-tx-bytes, uplink-rx-bytes, and
uplink-incoming-interface-name fields.
Example:
APPTRACK_SESSION_CLOSE [user@host.1.1.1.2.137
reason="TCP FIN" source-address="4.0.0.1" source-port="40297"
destination-address="5.0.0.1" destination-port="110" service-name="junos-pop3"
application="POP3" nested-application="UNKNOWN" nat-source-address="4.0.0.1"
nat-source-port="40297" nat-destination-address="5.0.0.1"
nat-destination-port="110" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="permit-all" source-zone-name="UNTRUST"
destination-zone-name="TRUST" session-id-32="81" packets-from-client="7"
bytes-from-client="1959" packets-from-server="6" bytes-from-server="68643"
elapsed-time="130" username="N/A" roles="N/A" encrypted="No" profile-name=”pf1”
rule-name=”facebook1” routing-instance=”instance1”
destination-interface-name="gr-0/0/0.0"
uplink-tx-bytes="1959"
uplink-rx-bytes="68643"
uplink-incoming-interface-name="gr-0/0/0.0"]
Starting from Junos OS Release 18.2R1, the following new messages are added. These messages provide information such as active and passive metric report, switching of application traffic path as shown in the following samples:
APPQOE_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129
source-address="20.1.1.1" source-port="47335" destination-address="151.101.9.67"
destination-port="443" apbr-profile="apbrProf1" apbr-rule="rule1"
application="HTTP" nested-application="CNN" group-name="N/A"
service-name="junos-https" protocol-id="6" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="611" username="N/A" roles="N/A"
routing-instance="ri3" destination-interface-name="gr-0/0/0.2" ip-dscp="0"
sla-rule="SLA1" elapsed-time="2" bytes-from-client="675" bytes-from-server="0"
packets-from-client="7" packets-from-server="0" previous-interface="gr-0/0/0.2"
active-probe-params="PP1"
destination-group-name="p1"]
APPQOE_PASSIVE_SLA_METRIC_REPORT
[junos@2636.1.1.1.2.129 source-address="20.1.1.1" source-port="47335"
destination-address="151.101.9.67" destination-port="443"
apbr-profile="apbrProf1" apbr-rule="rule1" application="HTTP"
nested-application="CNN" group-name="N/A" service-name="junos-https"
protocol-id="6" source-zone-name="trust" destination-zone-name="untrust"
session-id-32="611" username="N/A" roles="N/A" routing-instance="ri3"
destination-interface-name="gr-0/0/0.2" ip-dscp="0" sla-rule="SLA1"
ingress-jitter="0" egress-jitter="0" rtt-jitter="0" rtt="0" pkt-loss="0"
bytes-from-client="1073" bytes-from-server="6011" packets-from-client="12"
packets-from-server="13" monitoring-time="990" active-probe-params="PP1"
destination-group-name="p1"]
APPQOE_SLA_METRIC_VIOLATION
[junos@2636.1.1.1.2.129 source-address="20.1.1.1" source-port="35264"
destination-address="151.101.193.67" destination-port="443"
apbr-profile="apbrProf1" apbr-rule="rule1" application="HTTP"
nested-application="CNN" group-name="N/A" service-name="junos-https"
protocol-id="6" source-zone-name="trust" destination-zone-name="untrust"
session-id-32="614" username="N/A" roles="N/A" routing-instance="ri3"
destination-interface-name="gr-0/0/0.2" ip-dscp="0" sla-rule="SLA1"
ingress-jitter="104" egress-jitter="7" rtt-jitter="97" rtt="1142" pkt-loss="0"
target-jitter-type="2" target-jitter="20000" target-rtt="500"
target-pkt-loss="1" violation-reason="1" jitter-violation-count="0"
pkt-loss-violation-count="0" rtt-violation-count="1" violation-duration="0"
bytes-from-client="2476" bytes-from-server="163993" packets-from-client="48"
packets-from-server="150" monitoring-time="948" active-probe-params="PP1"
destination-group-name="p1"]
APPQOE_ACTIVE_SLA_METRIC_REPORT
[junos@2636.1.1.1.2.129 source-address="6.1.1.2" source-port="36051"
destination-address="6.1.1.1" destination-port="36050" application="UDP"
protocol-id="17" destination-zone-name="untrust" routing-instance="ri3"
destination-interface-name="gr-0/0/0.3" ip-dscp="128" ingress-jitter="26"
egress-jitter="31" rtt-jitter="8" rtt="2383" pkt-loss="0"
bytes-from-client="870240" bytes-from-server="425280" packets-from-client="4440"
packets-from-server="4430" monitoring-time="30" active-probe-params="PP1"
destination-group-name="p1"]
Starting in Junos OS Release 15.1X49-D170, AppTrack session create, session close, route update, and volume update logs are enhanced to include VRF name for both source VRF and destination-VRF.
RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE
[junos@2636.1.1.1.2.129 source-address="1.3.0.10" source-port="990"
destination-address="8.3.0.10" destination-port="8080" service-name="None"
application="HTTP" nested-application="UNKNOWN" nat-source-address="1.3.0.10"
nat-source-port="990" nat-destination-address="8.3.0.10"
nat-destination-port="8080" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="1" source-zone-name="trust_lan2"
destination-zone-name="sdwan" session-id-32="432399" username="N/A" roles="N/A"
encrypted="No" profile-name="p2" rule-name="r1"
routing-instance="Default_VPN_LAN2" destination-interface-name="gr-0/0/0.0"
source-l3vpn-vrf-group-name="vpn-A"
destination-l3vpn-vrf-group-name="vpn-A"]
RT_FLOW -
APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="1.3.0.10"
source-port="990" destination-address="8.3.0.10" destination-port="8080"
service-name="None" application="HTTP" nested-application="UNKNOWN"
nat-source-address="1.3.0.10" nat-source-port="990"
nat-destination-address="8.3.0.10" nat-destination-port="8080"
src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1"
source-zone-name="trust_lan2" destination-zone-name="sdwan"
session-id-32="432399" username="N/A" roles="N/A" encrypted="No"
destination-interface-name="gr-0/0/0.0" source-l3vpn-vrf-group-name="vpn-A"
destination-l3vpn-vrf-group-name="vpn-A’"]
RT_FLOW -
APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1"
source-port="34219" destination-address="5.0.0.1" destination-port="80"
service-name="junos-http" application="HTTP" nested-application="UNKNOWN"
nat-source-address="4.0.0.1" nat-source-port="34219"
nat-destination-address="5.0.0.1" nat-destination-port="80"
src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6"
policy-name="policy1" source-zone-name="trust" destination-zone-name="untrust"
session-id-32="4" packets-from-client="6" bytes-from-client="425"
packets-from-server="5" bytes-from-server="561" elapsed-time="1" username="N/A"
roles="N/A" encrypted="No" profile-name="p1" rule-name="r1"
routing-instance="default" destination-interface-name="ge-0/0/1.0"
source-l3vpn-vrf-group-name="vpn-A"
destination-l3vpn-vrf-group-name="vpn-A"]
Starting in Junos OS Release 19.1R1, the session close logs include new field source identity to check the session create log and session close log with user name and roles. The new messages provide information such as user name and roles as shown in the following sample:
RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129
reason="TCP FIN" source-address="4.0.0.1" source-port="34219"
destination-address="5.0.0.1" destination-port="80" service-name="junos-http"
application="HTTP" nested-application="UNKNOWN" nat-source-address="4.0.0.1"
nat-source-port="34219" nat-destination-address="5.0.0.1"
nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A"
protocol-id="6" policy-name="policy1" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="4" packets-from-client="6"
bytes-from-client="425" packets-from-server="5" bytes-from-server="561"
elapsed-time="1" username="N/A" roles="N/A" encrypted="No" profile-name="p1"
rule-name="r1" routing-instance="default"
destination-interface-name="ge-0/0/1.0" uplink-incoming-interface-name=""
uplink-tx-bytes="0" uplink-rx-bytes="0" multipath-rule-name="N/A"
source-l3vpn-vrf-group-name="vpn-A"
destination-l3vpn-vrf-group-name="vpn-A"]
A new syslog message
RT_FLOW_NEXTHOP_CHANGE is generated whenever there is a change
in the route or in the next-hop on the APBR and AppTrack enabled sessions.
In Junos OS release prior to 20.2R3, 20.3R2, 20.4R2, and 21.1R1, when an application is not identified by APBR (APBR interest check) and later it is identified by JDPI for first packet of the session, a syslog (RT_FLOW_NEXTHOP_CHANGE log) is generated. You can ignore the log message.
RT_FLOW_NEXTHOP_CHANGE [junos@2636.1.1.1.2.129 source-address="4.1.0.1"
source-port="43540" destination-address="5.1.0.1" destination-port="7000"
service-name="None" application="JNPR-UDPSVR-ADDR" nested-application="UNKNOWN"
nat-source-address="4.1.0.1" nat-source-port="43540"
nat-destination-address="5.1.0.1" nat-destination-port="7000"
src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="1"
source-zone-name="trust" destination-zone-name="untrust" session-id-32="2"
packets-from-client="1" bytes-from-client="105" packets-from-server="0"
bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="No"
profile-name="profile1" rule-name="rule1" routing-instance="RI1"
destination-interface-name="ge-0/0/1.0" last-destination-interface-name="ge-0/0/4.0"
uplink-incoming-interface-name="" last-incoming-interface-name="N/A"
uplink-tx-bytes="0" uplink-rx-bytes="0" apbr-policy-name="N/A" dscp-value="N/A"
apbr-rule-type="application"]Starting in Junos OS Release 19.3R1,
AppTrack session logs such as session close, volume update, route update, and
RT_FLOW_NEXTHOP_CHANGE include dscp-value and
apbr-rule-type options.
-
APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0”dscp-value=”13”apbr-rule-type=”dscp”] -
APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0”dscp-value=”13”apbr-rule-type=”application-dscp”] -
APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0”dscp-value=”13”apbr-rule-type=”application-dscp”] -
RT_FLOW_NEXTHOP_CHANGE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="1999" destination-address="157.240.23.35" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="1999" nat-destination-address="157.240.23.35" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3287" packets-from-client="1" bytes-from-client="60" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="No" profile-name="profile1" rule-name="rule1" routing-instance="RI1" destination-interface-name="ge-0/0/1.0" last-destination-interface-name="ge-0/0/4.0" uplink-incoming-interface-name="" last-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" apbr-policy-name="sla1"dscp-value=”13”apbr-rule-type=”dscp”]
Starting in Junos OS Release 20.1R1, AppTrack session logs such as session
close, volume update, route update include apbr-rule-type
options.
-
APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] -
APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] -
APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
Starting in Junos OS Release 20.4R1, AppTrack session logs for AppQoE such as best path selected, SLA metric violation, SLA metric reports are updated.
-
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="N/A" destination-interface-name="gr-0/0/0.0" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="app detected" session-count="1" violation-duration="0" ip-dscp="255" selection-criteria=“default” "server-ip=”10.1.1.1” url=”salesforce.com”] -
APPQOE_APP_SLA_METRIC_VIOLATION [junos@2636.1.1.1.2.129 apbr-profile=" apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="ri3" destination-interface-name="gr-0/0/0.0" sla-rule="SLA1" ingress-jitter="4294967295" egress-jitter="4294967295" rtt-jitter="1355" rtt="5537" pkt-loss="0" target-jitter-type="2" target-jitter="20000" target-rtt="1000" target-pkt-loss="1" violation-reason="1" violation-duration="20" active-probe-params="PP1" destination-group-name="p1" "server-ip=”10.1.1.1” url=”salesforce.com”] -
APPQOE_ACTIVE_SLA_METRIC_REPORT [junos@2636.1.1.1.2.129 source-address="40.1.1.2" source-port="10001" destination-address="40.1.1.1" destination-port="80" destination-zone-name="untrust1" routing-instance="transit" destination-interface-name="" ip-dscp="6" ingress-jitter="4294967295" egress-jitter="4294967295" rtt-jitter="1345" rtt="4294967295" pkt-loss="100" monitoring-time="29126" active-probe-params="probe1" destination-group-name="site1" forwarding-class="network-control" loss-priority="low" active-probe-type="http head"]
Starting in Junos OS Release 21.2R1, for an application profile without SLA
metric, the AppQoE generates only the APPQOE_APP_BEST_PATH_SELECTED
log. In the APPQOE_APP_BEST_PATH_SELECTED log, the
active-probe-params field displays N/A and the
violation duration field displays N/A. The
APPQOE_APP_BEST_PATH_SELECTED log has the new fields such as
previous-link-tag, previous-link-priority,
destination-link-tag, and
destination-link-priority as shown in the following samples.
When the reason is app detected, then the
previous-link-tag field displays N/A and the
previous-link-priority field displays
0.
-
Application independent profile without SLA metric considerations.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.1" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="N/A" destination-group-name="site1" reason="switch to high priority link" session-count="2" violation-duration="N/A" ip-dscp="255" selection-criteria="default" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-tag=”ISP1” previous-link-priority=”100” destination-link-tag=”ISP1” destination-link-priority=”50”]For application independent profile the application field displays as
ANY. -
Application based profile without SLA metrics considerations.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="SSH" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.1" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="N/A" destination-group-name="site1" reason="switch to high priority link" session-count="2" violation-duration="N/A" ip-dscp="255" selection-criteria="application" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-tag=”ISP1” previous-link-priority=”100” destination-link-tag=”ISP1” destination-link-priority=”50”] -
Application independent profile with SLA metric considerations and without violation reported.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.1" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="switch to high priority link" session-count="2" violation-duration=”180” ip-dscp="255" selection-criteria="default" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-priority=”100” destination-link-tag=”ISP2” destination-link-priority=”50”] -
Application independent profile with SLA metric considerations and with violation reported.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.1" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="sla violated" session-count="2" violation-duration=”180” ip-dscp="255" selection-criteria="default" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-priority=”100” destination-link-tag=”ISP2” destination-link-priority=”50”]APPQOE_APP_SLA_METRIC_VIOLATION [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" destination-interface-name="gr-0/0/0.1" sla-rule="sla1" ingress-jitter="253" egress-jitter="252340" rtt-jitter="252593" rtt="251321" pkt-loss="0" target-jitter-type="2" target-jitter="25000" target-rtt="200000" target-pkt-loss="15" violation-reason="3" active-probe-params="probe1" destination-group-name="site1" ip-dscp="255" selection-criteria="default"]APPQOE_APP_PASSIVE_SLA_METRIC_REPORT [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="ANY" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" destination-interface-name="gr-0/0/0.1" sla-rule="sla1" ingress-jitter="109" egress-jitter="72" rtt-jitter="102" rtt="63674" pkt-loss="0" min-ingress-jitter="1" min-egress-jitter="1" min-rtt-jitter="1" min-rtt="793" min-pkt-loss="0" max-ingress-jitter="448" max-egress-jitter="252340" max-rtt-jitter="252593" max-rtt="253784" max-pkt-loss="0" probe-count="122" monitoring-time="59882" active-probe-params="probe1" destination-group-name="site1" ip-dscp="255" selection-criteria="default"] -
Application based profile with SLA metric considerations and without violation reported.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="SSH" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.2" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="switch to high priority link" session-count="2" violation-duration="180" ip-dscp="255" selection-criteria="application" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-tag=”ISP2” previous-link-priority=”70” destination-link-tag=”ISP2” destination-link-priority=”30”]Application based profile with SLA metric considerations and with violation reported.
APPQOE_APP_BEST_PATH_SELECTED [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="SSH" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.2" destination-interface-name="gr-0/0/0.3" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="sla violated" session-count="2" violation-duration="180" ip-dscp="255" selection-criteria="application" forwarding-nexthop-id="262142" server-ip="0.0.0.0" server-url="N/A" previous-link-tag=”ISP2” previous-link-priority=”70” destination-link-tag=”ISP2” destination-link-priority=”30”]APPQOE_APP_PASSIVE_SLA_METRIC_REPORT [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="SSH" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" destination-interface-name="gr-0/0/0.1" sla-rule="sla1" ingress-jitter="109" egress-jitter="72" rtt-jitter="102" rtt="63674" pkt-loss="0" min-ingress-jitter="1" min-egress-jitter="1" min-rtt-jitter="1" min-rtt="793" min-pkt-loss="0" max-ingress-jitter="448" max-egress-jitter="252340" max-rtt-jitter="252593" max-rtt="253784" max-pkt-loss="0" probe-count="122" monitoring-time="59882" active-probe-params="probe1" destination-group-name="site1" ip-dscp="255" selection-criteria="application"]APPQOE_APP_SLA_METRIC_VIOLATION [junos@2636.1.1.1.2.129 apbr-profile="apbr1" apbr-rule="rule1" application="SSH" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" destination-interface-name="gr-0/0/0.1" sla-rule="sla1" ingress-jitter="253" egress-jitter="252340" rtt-jitter="252593" rtt="251321" pkt-loss="0" target-jitter-type="2" target-jitter="25000" target-rtt="200000" target-pkt-loss="15" violation-reason="3" active-probe-params="probe1" destination-group-name="site1" ip-dscp="255" selection-criteria="application"]Consider a scenario where an SRX Series Firewall is operating in chassis cluster mode, and the AppQoE configuration includes SaaS probes and violation count value configured as 1. When application traffic switches the route path across the node, violation syslog message is generated on both primary and backup nodes. You can ignore the syslog generated on the node that is hosting the current path.
-
When the link affinity is configured as “loose” and if the application traffic switches from a preferred-link to a non-preferred-link, and that non-preferred-link has the higher priority, the system log message logs the reason as "switch to higher priority".
Example:
RT_FLOW - APPQOE_APP_BEST_PATH_SELECTED [apbr-profile="apbr1" apbr-rule="rule1" application="YAHOO" other-app="N/A" group-name="N/A" routing-instance="TC1_VPN" previous-interface="gr-0/0/0.0" destination-interface-name="gr-0/0/0.2" sla-rule="sla1" active-probe-params="probe1" destination-group-name="site1" reason="switch to higher priority link" session-count="1" violation-duration="0" ip-dscp="255" selection-criteria="application" forwarding-nexthop-id="262149" server-ip="0.0.0.0" server-url="N/A" previous-link-tag="ISP1" previous-link-priority="10" destination-link-tag="ISP3" destination-link-priority="3"]
See Also
Example: Configuring Application Tracking
This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.
Requirements
Before you configure AppTrack, ensure that you have downloaded the application signature package, installed it, and verified that the application identification configuration is working properly. See Downloading and Installing the Junos OS Application Signature Package Manually or Downloading and Installing the Junos OS Application Signature Package As Part of the IDP Security Package. Use the show services application-identification status command to verify the status.
Overview
Application identification is enabled by default and is automatically turned on when you configure the AppTrack, AppFW, or IDP service. The Juniper Secure Analytics (JSA) retrieves the data and provides flow-based application visibility. STRM includes the support for AppTrack Reporting and includes several predefined search templates and reports.
Starting in Junos OS 21.1R1, note the changes in the following logs:
AppTrack session create logs (APPTRACK_SESSION_CREATE) are disabled by default. Use the following command to enable it:
user@host# set security application-tracking log-session-create
AppTrack session close logs (APPTRACK_SESSION_CLOSE) are disabled by default. Use the following statement to enable it:
user@host# set security application-tracking log-session-close
You can disable AppTrack session volume update logs (APPTRACK_SESSSION_VOL_UPDATE) using the following statement:
user@host# set security application-tracking no-volume-updates
Configuration
This example shows how to enable application tracking for the security zone named trust. The first log message is to be generated when the session starts, and update messages should be sent every 4 minutes after that. A final message should be sent at session end.
The example also shows how to add the remote syslog device configuration to receive AppTrack log messages in sd-syslog format. The source IP address that is used when exporting security logs is 192.0.2.1, and the security logs are sent to the host located at address 192.0.2.2.
J-Web pages for AppSecure Services are preliminary. We recommend using CLI for configuration of AppSecure features.
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
Changing the session-update-interval and the first-update-interval is not necessary in most situations.
The commands are included in this example to demonstrate their use.
user@host# set security log mode stream user@host# set security log format sd-syslog user@host# set security log source-address 192.0.2.1 user@host# set security log stream app-track-logs host 192.0.2.2 user@host#set security zones security-zone trust application-tracking user@host#set security application-tracking session-update-interval 4 user@host#set security application-tracking first-update-interval 1
On SRX5600, and SRX5800 devices, if the syslog configuration does not specify a destination port, the default destination port will be the syslog port. If you specify a destination port in the syslog configuration, then that port will be used instead.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.
To configure AppTrack:
Add the remote syslog device configuration to receive Apptrack messages in sd-syslog format.
[edit] user@host# set security log mode stream user@host# set security log format sd-syslog user@host# set security log source-address 192.0.2.1 user@host# set security log stream app-track-logs host 192.0.2.2
Enable AppTrack for the security zone trust.
[edit] user@host# set security zones security-zone trust application-tracking
(Optional) For this example, generate update messages every 4 minutes.
[edit] user@host# set security application-tracking session-update-interval 4
The default interval between messages is 5 minutes. If a session starts and ends within this update interval, AppTrack generates one message at session close. However, if the session is long-lived, an update message is sent every 5 minutes. The
session-update-interval minutesis configurable as shown in this step.(Optional) For this example, generate the first message after one minute.
[edit] user@host# set security application-tracking first-update-interval 1
By default, the first message is generated after the first session update interval elapses. To generate the first message at a different time than this, use
first-update-interval minutesoption (generate the first message after the specified minutes).Note:The
first-updateoption and thefirst-update-interval minutesoption are mutually exclusive. If you specify both, thefirst-update-intervalvalue is ignored.Starting in Junos OS 21.1R1, the
first-updatestatement is deprecated— rather than immediately removed—to provide backward compatibility.Once the first message has been generated, an update message is generated each time the session update interval is reached.
Results
From configuration mode, confirm your configuration
by entering the show security and show security zones commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit] user@host# show security
...
application-tracking {
first-update-interval 1;
session-update-interval 4;
}
log {
mode stream;
format sd-syslog;
source-address192.0.2.2;
stream app-track-logs {
host {
192.0.2.1;
}
}
}
...
[edit]
user@host# show security zones
...
security-zone trust {
...
application-tracking;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Use the JSA product on the remote logging device to view the AppTrack log messages.
To confirm that the configuration is working properly, you can also perform these tasks on the device.
- Reviewing AppTrack Statistics
- Verifying AppTrack Counter Values
- Verifying Security Flow Session Statistics
- Verifying Application System Cache Statistics
- Verifying the Status of Application Identification Counter Values
Reviewing AppTrack Statistics
Purpose
Review AppTrack statistics to view characteristics of the traffic being tracked.
Action
From operational mode, enter the show services
application-identification statistics applications command.
user@host> show services application-identification statistics applications
Last Reset: 2012-02-14 21:23:45 UTC Application Sessions Bytes Encrypted HTTP 1 2291 Yes HTTP 1 942 No SSL 1 2291 Yes unknown 1 100 No unknown 1 100 Yes
For more information on the show services application-identification
statistics applications command, see show services application-identification statistics applications.
Verifying AppTrack Counter Values
Purpose
View the AppTrack counters periodically to monitor logging activity.
Action
From operational mode, enter the show security
application-tracking counters command.
user@host> show security application-tracking counters
AVT counters: Value Session create messages 1 Session close messages 1 Session volume updates 0 Failed messages 0
Verifying Security Flow Session Statistics
Purpose
Compare byte and packet counts in logged messages with
the session statistics from the show security flow session command output.
Action
From operational mode, enter the show security
flow session command.
user@host> show security flow session
Flow Sessions on FPC6 PIC0: Session ID: 120000044, Policy name: policy-in-out/4, Timeout: 1796, Valid In: 192.0.2.1/24 --> 198.51.100.0/21;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 1032 Out: 198.51.100.0/24 --> 192.0.2.1//39075;tcp, If: ge-0/0/1.0, Pkts: 24, Bytes: 1442 Valid sessions: 1 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Total sessions: 1
Byte and packet totals in the session statistics should approximate the counts logged by AppTrack but might not be exactly the same. AppTrack counts only incoming bytes and packets. System-generated packets are not included in the total, and dropped packets are not deducted.
Verifying Application System Cache Statistics
Purpose
Compare cache statistics such as IP address, port,
protocol, and service for an application from the show services
application-identification application-system-cache command
output.
Action
From operational mode, enter the show services
application-identification application-system-cache command.
Verifying the Status of Application Identification Counter Values
Purpose
Compare session statistics for application identification
counter values from the show services application-identification
counter command output.
Action
From operational mode, enter the show services
application-identification counter command.
Example: Configuring Application Tracking When SSL Proxy Is Enabled
This example describes how AppTrack supports AppID functionality when SSL proxy is enabled.
Requirements
Before you begin:
Create zones. See Example: Creating Security Zones.
Create an SSL proxy profile that enables SSL proxy by means of a policy. See Configuring SSL Forward Proxy.
Overview
You can configure AppTrack either in the to or from zones. This example shows how to configure AppTrack in a to zone in a policy rule when SSL proxy is enabled.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security zones security-zone Z_1 application-tracking set security policies from-zone Z_1 to-zone Z_2 policy policy1 match source-address any set security policies from-zone Z_1 to-zone Z_2 policy policy1 match destination-address any set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit application-services ssl-proxy profile-name ssl-profile-1 set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
In this example, you configure application tracking and permit application services in an SSL proxy profile configuration.
Configure application tracking in a to-zone (you can also configure using a from-zone).
[edit security policies] user@host# set security zones security-zone Z_1 application-tracking
Configure SSL proxy profile.
[edit security policies from-zone Z_1 to-zone Z_2 policy policy1] set match source-address any set match destination-address any set match application junos-https set then permit application-services ssl-proxy profile-name ssl-profile-1 set then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
from-zone Z_1 to-zone Z_2 {
policy policy1 {
match {
source-address any;
destination-address any;
}
then {
permit {
application-services {
ssl-proxy {
profile-name ssl-profile-1;
}
}
}
}
}
}
Verify that the configuration is working properly. Verification in AppTrack works similarly to verification in AppFW. See the verification section of Example: Configuring Application Firewall When SSL Proxy Is Enabled.
Disabling Application Tracking
Application tracking is enabled by default. You can disable application tracking without deleting the zone configuration.
To disable application tracking:
user@host# set security application-tracking disable
If application tracking has been previously disabled and you want to reenable it, delete the configuration statement that specifies disabling of application tracking:
user@host# delete security application-tracking disable
If you are finished configuring the device, commit the configuration.
To verify the configuration, enter the show security application-tracking command.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
dscp-value and apbr-rule-type options.apbr-rule-type options.category and subcategory