Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Applications for SRX Series Firewalls

Applications represent traffic destinations. On Juniper® SRX Series Firewall, applications determine the destination used in a security policy.

Applications are the services or apps that your network users will connect to in a Juniper Mist WAN Assurance design. You can define these applications manually in the Juniper Mist™ cloud portal. You define applications by selecting the category (such as Social Media) or selecting individual applications (such as Microsoft Teams) from a list. Another option is to use the predefined list of common traffic types. You can also create a custom application to describe anything that is not otherwise available.

For users to access applications, you must first define the applications and then use application policies to permit or deny access. That is, you associate these applications with users and networks and then assign a traffic-steering policy and access rule (allow or deny).

Configure Applications

To configure applications:

  1. In the Juniper Mist portal, click Organization > WAN> Applications.
    A list of existing applications, if any, appears.
  2. Click Add Applications in the upper right corner.
    The Add Application window appears.
    Tip: When working on configuration screens, look for the VAR indicators. Fields with this indicator allow site variables.

    The fields with this label also display the matching variables (if configured) as you start typing a specific variable in it. This field lists variables from all sites within the organization.

    The organization-wide list of variables can be viewed using GET /api/v1/orgs/:org_id/vars/search?var=*. This list is populated as variables are added under site settings.

    Table 1 summarizes the options you can set in an application configuration.
    Table 1: Application Options
    Fields Description
    Name Enter a unique name for the application. You can use upto 32 characters for naming the application including alphanumerics, underscores, and dashes.
    Description Enter a description of the application and context.
    Type Select the application type:
    • Custom applications

    • Predefined applications

    • URL categories

    • Custom URLs

    IP Address (For custom applications) Enter the network IP address, including prefix (if any) of the application.
    Domain Name Enter the domain name of the application. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels. For example, juniper.example.com.
    Protocol and Port Ranges (For custom applications) Enter details about protocols, protocol numbers, and port ranges (start and end ports) that the application is using.
    Note:

    Click the blue Add (+) icon to select multiple protocols.

    Traffic Type Configure the optional advanced traffic type settings that includes:
    • Traffic type
    • Failover policy
    • Traffic class
    • Maximum latency
    • Maximum jitter
  3. Complete the configuration according to the details provided in Configure Applications with Custom Applications.
    If you want to create applications with predefined applications, URL categories, or custom URLs, go to the following sections:

Configure Applications with Custom Applications

Juniper Mist cloud enables you to define your own custom applications with destination IP addresses or domain names.

When defining custom applications, you can:

  • Use multiple destination IP addresses or domain names separated by a comma to define a single application.

  • Select a protocol (any, TCP, UDP, ICMP, GRE, or custom) and port range to narrow down your selection. This option enables the system to identify the destination at a granular level.

  • Define a prefix of 0.0.0.0/0 with protocol “any” . A prefix of 0.0.0.0/0 with protocol “any”, is resolved to any host within the Juniper Mist WAN Assurance policy.

To define custom applications:
  1. In the Juniper Mist cloud portal, under the Add Application pane, select the Type as Custom Apps.
  2. Create a custom application using IP prefixes. Complete the configuration according to the details provided in Configure Applications with Custom Applications.
    Table 2: Custom Application Configuration
    Custom Application IP Address Description
    ANY 0.0.0.0/0

    A wild card IP address. The IP address 0.0.0.0 also serves as a placeholder address.

    SPOKE-LAN1 10.0.0.0/8 A match criterion for all IP addresses inside the corporate VPN.
    HUB1-LAN1 10.66.66.0/24

    A match criterion for all IP addresses attached at the LAN-interface of the Hub1 device.

    HUB2-LAN1 10.55.55.0/24

    A match criterion for all IP addresses attached at the LAN interface of the Hub2 device.

    Use IP prefixes when configuring applications. Ensure that you keep the configuration separate for applications and application identification (which might be required at a later stage).

    Tip:

    The Juniper Mist cloud portal assigns an IP address directly or indirectly to all LAN interfaces of hub-and-spoke. In the beginning, you may use only few IP prefixes such as 10.77.77.0/24 + 10.88.88.0/24 + 10.99.99.0/24. You might want to create a custom application for these addresses only. But at a later stage, you might have many more interfaces. So, as a good practice, create applications with a wildcard match criteria IP prefix (such as 10.0.0.8). A wildcard match allows easy extensions without a need to change the ruleset in your environment.

  3. Click Save. The Applications page displays the list of all applications you created.

Configure Applications with Predefined Applications

Juniper Mist cloud provides a list of known applications that you can use to define an application.

To configure predefined applications:

  1. In the Mist portal, in the Add Application pane, select the Type as Apps.
  2. Click the Add (+) icon to display the list of available predefined applications.
    Figure 1: Predefined Applications Predefined Applications
    Applications that are specific only to SRX Series devices are marked as 'SRX Only'.
  3. Select one or more applications from the drop-down menu.
  4. Click Add to save your changes.

Configure Applications with URL Categories

Juniper Mist cloud provides a list of URL categories based on types (example: shopping, sports) and grouped by severity (all, standard, strict). You can use the URL categories to define an application. URL categories offer granular filtering for application creation. You can select a single or multiple URL categories for an application.

To define URL categories:

  1. In the Mist portal, in the Add Application pane, select the Type as URL Categories.
    1. Click the Add (+) icon to display the list of available URL categories.
      Figure 2: URL Categories URL Categories
      Select one or more URL category groups or URL categories.
  2. Click Add to save your changes.

Configure Applications with Custom URLs

Juniper Mist allows you to create custom URL-based applications. With custom URLs, you can create a wildcard domains list, which can be used to permit or block traffic.

To define custom URLs:

  1. In the Mist portal, in the Add Application pane, select the Type as Custom URLs.
  2. Enter the custom URLs. Use a comma separator if you need to specify multiple URLs.

    Mist supports only the asterisk( * ) wildcard pattern. You can specify up to 15 URL patterns for an application. You can view the supported patterns by hovering the mouse over the tooltip icon. Note that you can use the https://abc.com pattern only for SRX Series devices.

    Figure 3: Custom URLs Custom URLs
  3. Click Add to save your changes.
    Note:

    You can also edit an existing application to include custom URL patterns.