Note: Starting
in Junos OS Release 19.3R2 and 19.4R1, application identification
is also supported for Broadband Subscriber Management if you have
enabled Next Gen Services on the MX240, MX480 or MX960 router with
the MX-SPC3 card.
You can configure custom application definitions using custom
signatures. These definitions enable identification of protocol bundles
through deep packet inspection (DPI) for use by interested services
in the service chain.
Before
you configure custom application signatures, ensure that jservices-jdpi
is configured on all required interfaces of your MS-MPC, or of your
MX-SPC3 services card if you have enabled Next Gen Services on the
MX240, MX480, or MX960. To review how to configure the package on
your MS-MPC or MX-SPC3 services card:
To configure one or more custom application signatures:
- Specify a name for the application.
[edit services application-identification]
user@host# edit application application-name
For example:
[edit services application-identification]
user@host# edit application my:http
- Specify a description for the application.
[edit services application-identification application application-name]
user@host# set description description
For example:
[edit services application-identification application my:http]
user@host# set description "Test application"
- Specify an alternative name for the application.
[edit services application-identification application application-name]
user@host# set alt-name alt-name
For example:
[edit services application-identification application my:http]
user@host# set alt-name my:http-app
- Enable saving of the application system cache (ASC).
[edit services application-identification application my:http]
user@host# set cacheable
- Specify the name of the Junos OS release for compatibility.
[edit services application-identification application application-name]
user@host# set compatibility junos-compatibility-version
For example:
[edit services application-identification application my:http]
user@host# set compatibility 17.1
- Specify any desired application tags, consisting of a
user-defined name and value.
[edit services application-identification application application-name]
user@host# set tags tag-name tag-value
For example:
[edit services application-identification application my:http]
user@host# set tags traffic-type video-stream
- Specify one or more address-based signatures.
- Specify an ICMP-based signature.
Specify ICMP type and code.
[edit services application-identification application application-name]
user@host# set icmp-mapping type icmp-type code icmp-code
For example:
[edit services application-identification application my:http]
user@host# set icmp-mapping type 33 code 34
- Specify an IP protocol-based signature.
Specify the IP protocol by protocol number.
[edit services application-identification application application-name]
user@host# set ip-protocol-mapping protocol protocol-number
For example:
[edit services application-identification application my:http]
user@host# set ip-protocol-mapping protocol 103
All ip-protocol-mappings are allowed except Protocol numbers
1,6,17 are not allowed to be configured under ip-protocol based signatures.
If you try to configure protocols 1,6,17 under ip-protocol-mapping
you will get commit errors.
- Specify one or more Layer 4 and Layer 7 signatures using
pattern matching in conjunction with a Layer 4 protocol.
Specify a name for the Layer 4 and Layer 7 signature.
[edit services application-identification application application-name over protocol-type]
user@host# set signature l4-l7-signature-name
For example:
[edit services application-identification application my:http over http]
user@host# set signature myl3l7
Specify the order to be used if conflicts occur during
the application classification. In such a case, the application with
lowest order is classified.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name member member-name]
user@host# set order order
For example:
[edit services application-identification application my:http over http signature myl3l7 member m01]
user@host# set order 1
Specify the priority for using this signature instead
of using any matched predefined signatures.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name]
user@host# set order-priority (high | low)
For example:
[edit services application-identification application my:http over http signature myl3l7]
user@host# set order-priority high
(Optional) Specify the protocol. If you are using Next
Gen Services with the MX-SPC3 services card, do not perform this step.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name]
user@host# set protocol (http | ssl | tcp | udp)
For example:
[edit services application-identification application my:http over http signature myl3l7]
user@host# set protocol http
(Optional) Specify that members are to be matched in order.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name]
user@host# set chain-order
Specify a member. You
can repeat this step to define up to four members.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name]
user@host# edit member member-name
For example:
[edit services application-identification application my:http over http signature myl3l7]
user@host# edit member m01
Specify the member’s identifying pattern.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name member member-name]
user@host# set pattern pattern
For example:
[edit services application-identification application my:http over http signature myl3l7 member m01]
user@host# set pattern "www\.facebook\.net"
Specify the direction of flows to which pattern matching
is applied.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name member member-name]
user@host# set direction (any | client-to-server | server-to-client)
For example:
[edit services application-identification application my:http over http signature myl3l7 member m01]
user@host# set direction any
Specify the number of check-bytes. This option applies
to TCP and UDP only.
[edit services application-identification application application-name over protocol-type signature l4-l7-signature-name member member-name]
user@host# set check-bytes max-bytes-to-check
For example:
[edit services application-identification application my:http over http signature myl3l7 member m01]
user@host# set check-bytes 5000
- (For Next Gen Services with the MX-SPC3 services card
only) After you have committed your changes, you can check the status
of the custom signature commitment.
[edit services application-identification application my:http over http signature myl3l7 member m01]
user@host> show services application-identification commit-status