Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Application Policies on Session Smart Routers

Application policies are security policies in Juniper WAN Assurance design, where you define which network and users can access which applications, and according to which traffic steering policy. To define application policies, you must create networks, applications, and traffic-steering profiles. You then use these details as matching criteria to allow access to or block access from applications or destinations.

In the Juniper Mist™ cloud portal, the Networks or Users setting determines the source zone. The Applications + Traffic Steering setting determines the destination zone.

Notes about the application policies on the Juniper® Session Smart™ Routers :

  • You can define application policies in one of three ways: at the organization-level, inside a WAN edge template or inside a hub profile.

  • When you define an application policy at the organization-level, you can import and use the policy in multiple WAN edge templates or in hub profiles. That is, you can follow the “define once, use multiple times” model.

  • When you define an application policy directly inside a WAN edge or hub profile, the scope of the policy is limited to that WAN edge template or hub profile only. You cannot re-use the policy in other templates or profiles.

  • Mist evaluates and applies policies in the order of their appearance in the policies list.

Configure Application Policies

To configure application policies:

  1. In Juniper Mist cloud portal, select Organization > WAN > Application Policy to create a policy at the organization level.
    If you want to create the policy at a WAN Edge template or at a hub profile level, select Organization > WAN > WAN Edge Templates or Hub Profile and select the required template or profile
  2. Scroll down to the Application Policies section, and click the Add Application Policy button.
    Note:

    You can import a global policy into the WAN Edge template or hub profile by clicking the Import Application Policy option.

    Juniper Mist Cloud portal displays the imported policies in gray color to differentiate from local policies defined in the template/profile.
  3. Click the new field under the Name column and give the policy a name and then click the blue check mark to apply your changes.

    Figure 1 shows the options that are available to you when you configure an application policy.

    Figure 1: Application Policy Configuration Options Application Policy Configuration Options
    Table 1 explains the configuration options available for an application policy.
    Table 1: Application Policies Options
    Field Description
    No.

    Abbreviation for number. This entry indicates the position of the application policy. Mist evaluates and applies policies by their position, meaning the order in which they are listed in this field.

    For Session Smart Routers, policy order is not important. As good practice, you place the global policies at the end of the policy list.
    Name Name of the application policy. You can use upto 32 characters for naming the application including alphanumerics, underscores, and dashes.
    Network/User

    Networks and users of the network. Networks are sources of the request in your network. You can select a network from the available list of networks. If you have associated an user to the network, the Mist portal displays the detail as user.network format in the dropdown menu.
    Action

    Policy actions. Select one of these policy actions:

    • Allow

    • Block
    Application / Destination Destination end point. Applications determine the destinations used in a policy You can select applications from the list of already defined applications.
    IDP

    (Optional) Intrusion Detection and Prevention (IDP) profiles. Select one of the IDP profiles:

    • Standard—Standard profile is the default profile and represents the set of IDP signatures and rules recommended by Juniper Networks. The actions include:

      Close the client and server TCP connection.

      Drop current packet and all subsequent packets

    • Strict—Strict profile contains a similar set of IDP signatures and rules as the standard profile. However, when the system detects an attack, profile actively blocks any malicious traffic or other attacks detected in the network.

    • Alert

      —Alert profile generates alert only and does not take any additional action. Alerts profiles are suitable only for low severity attacks. The IDP signature and rules are the same as in the standard profile.
    • None—No IDP profile applied.

    The IDP profile applied in your application policy performs traffic inspection to detect and prevent intrusions on the allowed traffic.
    Traffic Steering

    Traffic-steering profiles. Traffic-steering profile defines the traffic path or paths.

    Steering profiles are required for deploying the policy to the WAN edge spoke device or to a hub device.
    Note:

    The No. (order number) and Traffic Steering fields are not available for organization-level application policies. When you define an application policy directly inside a WAN edge or hub profile, you need to specify the order number and traffic-steering options.

  4. Complete the configuration according to the details available in Table 2 .
    Table 2: Application Policy Examples
    No. Policy Name Network/User Application/Destination Action
    1 Spoke-to-Hub-DMZ SPOKE-LAN1 HUB1-LAN1 and HUB2-LAN1 Allow
    2 Spoke-to-Spoke-via-hub SPOKE-LAN1 SPOKE-LAN1 Allow
    3 Hub-DMZ-to-Spoke HUB1-LAN1 and HUB2-LAN1 SPOKE-LAN1 Allow
    4 Internet-via-Hub-CBO SPOKE-LAN1 Any Allow
  5. Click Save.

    Figure 2 shows the list of newly created application policies.

    Figure 2: Application Policies Summary Application Policies Summary

Reordering and Deleting Application Policies

Reordering application policy allows you to move the policies around after they have been created.

Mist evaluates policies and executes policies in the order of their appearance in the policies list, you should be aware of the following:

  • Policy order is important. Because policy evaluation starts from the top of the list,

  • New policies go to the end of the policy list.

Select a policy and use Up Arrow or Down Arrow to change the order. You can change the policy order anytime.

Figure 3: Changing Policy Order Changing Policy Order

To delete an application policy, select the application policy you want to delete, and then click Delete that appears on the top right side of the pane.

Using Same IP Addresses/Prefixes in Networks and Applications

In the application policies configuration, Network/Users belong to the source zone, and Applications/Destination belong to the destination zone.

You can use the same IP addresses and prefixes for both networks and applications when you define them for different purposes; that is, they act as a source in one policy and as a destination in another policy.

Consider the policies in Figure 4.

Figure 4: Application Policies Details Application Policies Details

Here, you have a Network/Users SPOKE-LAN1 that has an IP address 192.168.200.0/24 for a spoke LAN interface. The screenshot shows that the following policies are using the same network in different ways:

  • Spoke-to-Spoke-via-Hub—This policy allows inbound and outbound spoke-to-spoke traffic through a hub. Here, we defined SPOKE-LAN1 as both a network and as an application.

  • Spoke-to-Hub-DMZ—This policy allows spoke-to-hub traffic. Here, we defined SPOKE-LAN1 as a network.

  • Hub-DMZ-to-Spoke—This policy allows hub-to-spoke traffic. Here, we defined SPOKE-LAN1 as an application.

Monitoring Breakout Paths (Beta)

You can monitor breakout paths with the Application Routing Visibility graph on the Application Policy dashboard.

Note:

This feature is available to Beta participants only.

To improve your network monitoring experience with SSR devices, Juniper Mist switches local breakout traffic from one path to another when the path doesn’t meet the associated SLA requirements for the link latency, jitter, and loss parameters.

The SSR devices compare the SLA parameters (latency, jitter, and loss) for all the local breakout paths against the thresholds configured for these parameters for each application. Whenever a set threshold is breached (that is, a local breakout path fails to meet the associated SLA requirements), the traffic shifts to another path based on the traffic steering configuration. Any such shifts in traffic are displayed on the Application Routing Visibility graph on the Application Policy dashboard.

In the following example, you see a traffic shift from the ge-0/0/3 interface to the ge-0/0/5 interface due to an SLA threshold breach.

Application Routing Visibility Graph