Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating Application Signatures

Application identification supports custom application signatures to detect applications as they pass through the device. When you configure custom signatures, make sure that your signatures are unique. Use the Create Application Signature page to create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7.

Before you begin creating the custom application signatures:

  • Make sure you have downloaded the application signature database package.

  • The SRX Series device must be running Junos OS Release 15.1X49-D40 or later.

To create the custom application signatures:

  1. Select Configure > Application Firewall Policy > Signatures.

    The Application Signatures Page appears.

  2. From the Create list, select Signature.

    The Create Application Signature page appears.

  3. Complete the configuration by using the guidelines in Table 1.
  4. Click OK to complete the configuration or Cancel to discard the configuration.
Table 1: Fields on the Create Application Signature Page

Field

Description

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Description

Enter a description for the custom application signature; maximum length is 255 characters.

Order

Specify the order for the custom application. Lower order has higher priority.

This option is used when multiple custom applications of the same type match the same traffic. However, you cannot use this option to prioritize among different type of applications such as TCP stream-based applications against TCP port-based applications or IP address-based applications against port-based applications.

Priority

Select the priority from the list over other signature applications.

ICMP Mapping

ICMP Type

Specify the Internet Control Message Protocol (ICMP) value for an application to match. The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. This mapping technique lets you differentiate between various types of ICMP messages.

Select the numerical value of an ICMP type. The type field identifies the ICMP message.

ICMP Code

Select the numerical value of an ICMP code. The code field provides further information about the associated type field.

IP Protocol Mapping

IP Protocol

Select the IP protocol value for an application to match. Standard IP protocol numbers can map an application to IP traffic. To ensure an adequate security similar to address mapping, use IP protocol mapping only in your private network for trusted servers.

Address Mapping

Add Address Mapping

Use the Add Address Mapping page to create an address mapping that defines an application by the IP address and the port range of the traffic.

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

IP Address

Enter an IPv4 or IPv6 address of the application for address mapping.

CIDR

Enter an IPv4 or IPV6 address prefixes for a classless addressing.

TCP Port Range

Enter the TCP port range for the application. Example: 1-200.

UDP Port Range

Enter the UDP port range for the application. Example: 1-200.

L7 Signature

Cacheable

Set this option to TRUE to enable caching of application identification results. By enabling this option, you can cache the application detection result in an ASC table. If there is an entry in the ASC table, based on the destination IP address, protocol, and the port, you can identify AppID without sending the packet again to engine.

Add L7 Signature

Select a protocol over which L7 signatures are added. The available options are:

  • Over HTTP

  • Over SSL

  • Over TCP

  • Over UDP

Over Protocol

Shows the type of protocol that you have selected to add the L7 signature.

Signature Name

Enter the name of the custom application signature; maximum length is 63 characters.

Port Range

Enter the port range for the selected protocol. Range is 1-65535.

Add Members

Click the + sign to add members for a custom application signature. You can add maximum of 15 members.

Member Name

Member name for a custom application signature. Custom signatures can contain multiple members that define attributes for an application. (The supported member name range is m01 through m15.)

Context

Select the context for matching the application running over TCP, UDP, or Layer 7.

The available options are:

  • http-get-url-parsed-param-parsed—The decoded and normalized GET URL in an HTTP request along with the decoded CGI parameters (if any).

  • http-header-content-type—The content-type header in an HTTP transaction.

  • http-header-cookie—The cookie header in an HTTP transaction.

  • http-header-host—The host header in an HTTP transaction.

  • http-header-user-agent—The user-agent header in an HTTP transaction.

  • http-post-url-parsed-param-parsed—The decoded and normalized POST URL in an HTTP request along with the decoded CGI parameters (if any).

  • http-post-variable-parsed—The decoded POST URL or form data variables.

  • http-url-parsed—The decoded and normalized URL in an HTTP request.

  • http-url-parsed-param-parsed—The decoded and normalized URL in an HTTP request along with the decoded CGI parameters (if any).

  • ssl-server-name—Server name in the TLS server name extension or the SSL server certificate. This is also known as Server Name Indication (SNI).

  • stream—TCP or UDP stream data.

Direction

Select the connection direction of the packets to match pattern from the list. Combinations other than those mentioned in Table 2 is not supported.

Table 1: Supported Context-Direction Combination

Context

Direction

http-get-url-parsed-param-parsed

client-to-server

http-header-host

client-to-server

http-header-user-agent

client-to-server

http-post-url-parsed-param-parsed

client-to-server

http-post-variable-parsed

client-to-server

http-url-parsed

client-to-server

http-url-parsed-param-parsed

client-to-server

http-header-content-type

any/client-to-server/server-to-client

http-header-cookie

any/client-to-server/server-to-client

ssl-server-name

client-to-server

stream

any/client-to-server/server-to-client

Pattern

(Optional) Enter the Deterministic Finite Automaton (DFA) pattern matched on the context. The DFA pattern specifies the pattern to be matched for the signature. Maximum length is 128 characters.

Related Documentation