Applications and Application Sets for IDP Policies
Applications or services represent Application Layer protocols that define how data is structured as it travels across the network.
For more information, see the following topics:
Understanding IDP Application Sets
Applications or services represent Application Layer protocols that define how data is structured as it travels across the network. Because the services you support on your network are the same services that attackers must use to attack your network, you can specify which services are supported by the destination IP to make your rules more efficient. Juniper Networks provides predefined applications and application sets that are based on industry-standard applications. If you need to add applications that are not included in the predefined applications, you can create custom applications or modify predefined applications to suit your needs.
You specify an application, or service, to indicate that a policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making them difficult to manage. Junos OS allows you to create groups of applications called application set.
Application sets simplify the process by allowing you to manage a small number of application sets, rather than a large number of individual application entries.
The application (or application set) is configured as a match criterion for packets. Packets must be of the application type specified in the policy for the policy to apply to the packet. If the packet matches the application type specified by the policy and all other criteria match, then the policy action is applied to the packet. You can use predefined or custom applications and refer to them in a policy.
See Also
Example: Configuring IDP Applications Sets
This example shows how to create an application set and associate it with an IDP policy.
Requirements
Before you begin:
Configure network interfaces.
Enable IDP application services in a security policy.
Define applications. See Example: Configuring Security Policy Applications and Application Sets.
Overview
To configure an application set, you add predefined or custom applications separately to an application set and assign a meaningful name to the application set. Once you name the application set you specify the name as part of the policy. For this policy to apply on a packet, the packet must match any one of the applications included in this set.
This example describes how to create an application set called SrvAccessAppSet and associate it with IDP policy ABC. The application set SrvAccessAppSet combines three applications. Instead of specifying three applications in the policy rule, you specify one application set. If all of the other criteria match, any one of the applications in the application set serves as valid matching criteria.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set applications application-set SrvAccessAppSet application junos-ssh set applications application-set SrvAccessAppSet application junos-telnet set applications application-set SrvAccessAppSet application cust-app set security idp idp-policy ABC rulebase-ips rule ABC match application SrvAccessAppSet set security idp idp-policy ABC rulebase-ips rule ABC then action no-action set security idp active-policy ABC
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application set and associate it with an IDP policy:
Create an application set and include three applications in the set.
[edit applications application-set SrvAccessAppSet] user@host# set application junos-ssh user@host# set application junos-telnet user@host# set application cust-app
Create an IDP policy.
[edit] user@host# edit security idp idp-policy ABC
Associate the application set with an IDP policy.
[edit security idp idp-policy ABC] user@host# set rulebase-ips rule ABC match application SrvAccessAppSet
Specify an action for the policy.
[edit security idp idp-policy ABC] user@host# set rulebase-ips rule ABC then action no-action
Activate the policy.
[edit] user@host# set security idp active-policy ABC
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy ABC {
rulebase-ips {
rule R1 {
match {
application SrvAccessAppSet;
}
then {
action {
no-action;
}
}
}
}
}
active-policy ABC;
[edit]
user@host# show applications
application-set SrvAccessAppSet {
application ssh;
application telnet;
application custApp;
}
If you are done configuring the device, enter commit from configuration mode.
Example: Configuring IDP Applications and Services
This example shows how to create an application and associate it with an IDP policy.
Requirements
Before you begin:
Configure network interfaces.
Enable IDP application services in a security policy.
Overview
To create custom applications, specify a meaningful name for an application and associate parameters with it—for example, inactivity timeout, or application protocol type. In this example, you create a special FTP application called cust-app, specify it as a match condition in the IDP policy ABC running on port 78, and specify the inactivity timeout value as 6000 seconds.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set applications application cust-app application-protocol ftp protocol tcp destination-port 78 inactivity-timeout 6000 set security idp idp-policy ABC rulebase-ips rule ABC match application cust-app set security idp idp-policy ABC rulebase-ips rule ABC then action no-action set security idp active-policy ABC
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Create an application and specify its properties.
[edit applications application cust-app] user@host# set application-protocol ftp protocol tcp destination-port 78 inactivity-timeout 6000
Specify the application as a match condition in a policy.
[edit security idp idp-policy ABC rulebase-ips rule ABC] user@host# set match application cust-app
Specify the no action condition.
[edit security idp idp-policy ABC rulebase-ips rule ABC] user@host# set then action no-action
Activate the policy.
[edit] user@host# set security idp active-policy ABC
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy ABC {
rulebase-ips {
rule R1 {
match {
application cust-app;
}
}
}
}
active-policy ABC;
[edit]
user@host# show applications
application cust-app {
application-protocol ftp;
protocol tcp;
destination-port 78;
inactivity-timeout 6000;
}
If you are done configuring the device, enter commit from configuration mode.