Enable Application Visibility on SRX Series Firewalls
The Juniper Networks Application Security (AppSecure) feature is a suite of application-aware security services for the Juniper Networks® SRX Series Firewalls. AppSecure enables you to see the applications on your network and learn how they work. It enables you to observe their behavioral characteristics and assess their relative risk, which allows the Juniper Mist™ cloud to track and report applications passing through the device.
Before You Begin
Consult this list to ensure that you have the licenses and application signatures necessary to enable application visibility.
-
You need a valid AppSecure license on your SRX Series Firewall to use the feature. Use the
show system licensecommand to check if your device has the license. For details about license requirements and installation, see Juniper Licensing User Guide. -
We recommend using the latest version of application signatures. To install the latest version of application signatures, run the following commands on your device:
-
Download the application signature package version on your device. The command downloads the latest version of the package.
user@host> request services application-identifications download Please use command "request services application-identification download status" to check status
user@host> request services application-identifications download status Application package 3410 is downloaded successfully.
-
Install the application signature package version on your device.
user@host> request services application-identification install Please use command "request services application-identification install status" to check status and use command "request services application-identification proto-bundle-status" to check protocol bundle status
-
Verify the application signature package version installed on your device.
user@host> show services application-identification version Application package version: 3410
For more details, see Predefined Application Signatures for Application Identification.
You can see the application signature version in the Juniper Mist cloud portal of your device under the SECURITY SERVICES panel.
Figure 1: Check Application Security (AppSecure) Version
-
Enable Application Visibility While Assigning a Device to the Site
Application visibility provides insight into applications running on the network. You can analyze applications running on the network for performance and assurance.
You can enable or disable application visibility on your SRX Series Firewall in the Juniper Mist cloud portal by checking or unchecking the My SRX devices have an App Track License option.
To enable application visibility while assigning a device to a site:
-
Click the Adopt WAN Edges button.
Figure 2: WAN Edge Adoption Commands
Juniper Mist generates a code snippet in the WAN Edge Adoption window.
-
Select one of the options for the application tracking (AppTrack) license.
Figure 3: Check the AppTrack License Option
-
Use site setting for App Track license—Enable application visibility under site setting options.
-
Device has an App Track license—Application visibility is already enabled on the device.
-
Device does NOT have an App Track license—The device does not have application security license.
If you selected the Use site setting for App Track license option, continue with the following steps:
-
Navigate to Organization > Site Configurations and select your site.
-
Scroll down to the WAN Edge Advanced Security pane.
-
Check or uncheck the box next to My SRX devices have an App Track license
Figure 4: Check the AppTrack License Option
- Check the box to enable application visibility.
- Uncheck the box to disable application visibility.
-
For the Log Source Interface option, provide the IP address of an interface of your SRX Series Firewall. Ensure that the interface has connectivity to the cloud or Internet. This interface acts as the source address for log messages for the application session records.
-
-
If you selected either Device has an App Track
license or Device does NOT have an App Track
license, ensure that the same option is reflected on the
Gateways tab in the Application Visibility
pane.
Figure 5: Set the AppTrack License Option
-
-
The “gateway_mgmt“: {“app_usage“: True} message indicates that the check box is selected.
-
The “gateway_mgmt“: {“app_usage“: False} message indicates that the check box is not selected.
Example:
GET /api/v1/sites/232527fe-4126-40bb-8c78-2c8d1dfed043/setting HTTP 200 OK Allow: OPTIONS, GET, PUT Content-Type: application/json Vary: Accept { "switch_mgmt": { "root_password": "mist123" }, <<< API OUTPUT TRIMMED >>> "zone": { "autozones_enabled": false, "autozones_rssi": -70 }, "gateway_mgmt": { "app_usage": true, "security_log_source_interface": "ge-0/0/0" }, "id": "86f13595-9599-48a7-8c26-ad98a702b9e5", "for_site": true, "site_id": "232527fe-4126-40bb-8c78-2c8d1dfed043", "org_id": "001f3ef8-d69d-4780-b9c3-7a1f3cb123f0", "created_time": 1599493540, "modified_time": 1600069580 -
If you did not select the site settings option, the
gateway_mgmt section will not be present in the device
API.
Enable Application Visibility on an SRX Series Firewall Already Assigned to a Site
If you did not enable application visibility while assigning the device to a site, you can enable it later.
To enable application visibility on an SRX Series Firewall that you already assigned to a site:
-
Scroll down to the WAN Edge Advanced Security
pane.
Figure 6: Check the AppTrack License Option