Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Application Signatures

You are here: Security Policies & Objects > Dynamic Applications.

To add an application signature:

  1. Click Create > Signature on the upper-right corner of the Dynamic Applications page.

    The Create Application Signatures page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Add Application Signatures Page

Field

Action

Name

Enter the application signature name.

Description

Enter the application signature description.

Order

Enter the order of the custom application.

Lower order has higher priority.

The range is 1 through 50,000.

Priority

Enter the priority over other signature applications.

Select an option from the list:

  • High

  • Low

By default, the priority for the custom application is set to Low. This allows a predefined application to take precedence. If you want to override a predefined application, you must set the priority to High.

Risk

Enter the risk as critical, high, moderate, low, or unsafe.

Application Identification match criteria

Select one or more options from the list:

  • ICMP Mapping

  • IP Protocol Mapping

  • Address Mapping

  • L7 Signature

ICMP Mapping

Select a value from the list.

  • ICMP Type—Select the numeric value of an ICMP type. The type identifies the ICMP message, such as Unassigned or Destination Unreachable.

    The range is from 0 through 254.

  • Select the numeric value of an ICMP code. The code field provides further information (such as RFCs) about the associated type field.

    The range is from 0 through 254.

IP Protocol Mapping

Select the numeric value of an ICMP type. The type identifies the ICMP message, such as Unassigned or Destination Unreachable.

The range is from 0 through 254.

Address Mapping

To add a new address mapping:

  1. Click Add.

    The Add Address Mapping page appears.

    Enter the following details:

    • Name—Enter the name of the address mapping.

    • IP Address—Enter an IPv4 or IPv6 address.

    • CIDR Range—Enter an IPv4 or IPV6 address prefix for classless IP addressing.

    • TCP Port range—Enter the TCP port range for the application.

    • UDP Port Range—Enter the UDP port range for the application.

  2. Click the pencil icon at the upper-right corner of the Address Mapping table. Then, edit the address mapping and click OK.

  3. To delete an existing Address Mapping, select it and click the delete icon or right-click on it and click Delete.

L7 Signature

Cacheable

Set this option to True only when L7 signatures are configured in a custom signature. This option is not supported for address-based, IP protocol-based, and ICMP-based custom application signatures.

Add L7 Signature

Click Add L7 Signature list and select an option from the following:

  • Over HTTP

  • Over SSL

  • Over TCP

  • Over UDP

The Add Signature page appears.

Add Signature

Over Protocol

Displays the signature that matches the application protocol.

Example: HTTP

Signature Name

Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Port Range

Enter the port range for the application.

Range is 0-65535.

Add Members

Custom signatures can contain multiple members that define attributes of an application. The supported member name range is m01 through m15.

+

Click + to create a member.

Context (Over HTTP)

Select the service-specific context from the following list:

  • http-get-url-parsed-param-parsed

  • http-header-content-type

  • http-header-cookie

  • http-header-host

  • http-header-user-agent

  • http-post-url-parsed-param-parsed

  • http-post-variable-parsed

  • http-url-parsed

  • http-url-parsed-param-parsed

Context (Over SSL)

Select the service-specific context as ssl-server-name.

Context (Over TCP)

Select the service-specific context as stream.

Context (Over UDP)

Select the service-specific context as stream.

Direction

Select the direction of the packet flow to match the signature:

  • any—The direction of the packet flow can either be from the client-side to the server-side or from the server-side to the client-side.

  • client-to-server—The direction of packet flow is from the client-side to the server-side.

  • server-to-client—The direction of packet flow is from the server-side to the client-side.

Depth

Enter the maximum number of bytes to check for context match. Use the byte limit for AppID to identify custom application pattern for applications running over TCP or UDP or Layer 7 applications.

Range is 1 through 8000. The Depth is set to 1000 by default, if not explicitly configured.

Note:

Starting in Junos OS Release 20.2R1, Depth option is supported.

Pattern

Enter the deterministic finite automaton (DFA) pattern matched the context. The DFA pattern specifies the pattern to be matched for the signature. The maximum length is 128.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
20.2R1
Starting in Junos OS Release 20.2R1, Depth option is supported.