Juniper SRX applications and application-set objects are another required object in security policies.

In other words, when you configure a security policy, in addition to source address and destination address, the name of the application is also required to be configured.

Source address and destination address must be already configured in address book that we have discussed in the previous section. the application name must be also already configured in the list of applications.

Juniper SRX application and application-set objects

When swe configure a security policy, to match a traffic, we have to specifiy the source and destination IP address and also application type of the interresting traffic. 

Juniper SRX Security Objects
Juniper SRX Security Objects

The source and destination IP address must be taken from address and address-set entries configured in address-book. 

And the application type must also be taken from the standard or custome application or application-set list.

Standard application list are already configured by the juniper itself.

We can configure new enterprise custom applications when thay are not in the list of standard application list.

Juniper Standard Application List

by default, there is a big list of applications that are already configured by juniper itself. You can see the list, by the command “show configuration groups junos-defaults applications”. As you can see, the name of all applications configured by the juniper itself are started by “junos-“ keyword.

rayka# run show configuration groups junos-defaults applications 
##
## protect: groups junos-defaults
##
#
# File Transfer Protocol 
#
application junos-ftp {
    application-protocol ftp;
    protocol tcp;
    destination-port 21;
}
#
# Trivial File Transfer Protocol 
#
application junos-ftp-data {
    application-protocol ftp-data;
    protocol tcp;
    destination-port 20;
}
application junos-tftp {
    application-protocol tftp;
    protocol udp;
    destination-port 69;
}
#
# Two-Way Active Measurement Protocol
#
application junos-twamp {
    application-protocol twamp;
    protocol tcp;
    destination-port 862;
}
#
# Real Time Streaming Protocol
#
application junos-rtsp {
    application-protocol rtsp;
    protocol tcp;
    destination-port 554;
}
#
# Network Basic Input Output System  - networking protocol used on
# Windows networks   session service port
#
application junos-netbios-session {
    protocol tcp;
    destination-port 139;
}                                       
application junos-smb-session {
    protocol tcp;
    destination-port 445;
}
application junos-ssh {
    protocol tcp;
    destination-port 22;
}
....

Most of the standard applications are already configured by Juniper itself, and we don’t need to reconfigure them unless the enterprise application doesn’t follow the default rules.

For example, let’s check what is default configuration of http and https configured by juniper. You can check it with command “show configuration groups junos-defaults applications application junos-http” or “show configuration groups junos-defaults applications application junos-https

[edit]
rayka# run show configuration groups junos-defaults applications application junos-http     
##
## protect: groups junos-defaults
##
protocol tcp;
destination-port 80;
inactivity-timeout 300;

[edit]
rayka# run show configuration groups junos-defaults applications application junos-https   
##
## protect: groups junos-defaults
##
protocol tcp;
destination-port 443;

[edit]
rayka# 

If you run a http application that runs on port 8080 instead of port 80. Or an https application running on port 8443 instead of 443. Then we need to add the custom application to the Juniper Applications list.

In a few minutes, we will se how we add a custom application into application list.

If you notice at the configuration of applications by the juniper, you see that most of them are matched by protocol number and destination port.

But there are some applications that can not be recognized just with protocol number and port number since they run over dynamic ports. The most famous ones are ftp.

You can see the configuration of ftp application detection by the command “show configuration groups junos-defaults applications application junos-ftp” or show configuration groups “junos-defaults applications application junos-ftp-data”.

[edit]
rayka# run show configuration groups junos-defaults applications application junos-ftp-data 
##
## protect: groups junos-defaults
##
application-protocol ftp-data;
protocol tcp;
destination-port 20;

For these application, application-protocol must be inspected. in other words for the detection of dynamic applications, the header of application layer must be inspected.

Add custom applications in application list of juniper SRX

To add a custom application, in addition to protocol number, destination port and application-protocol, we have also the options ether-type, source-port and icmp-code and icmp-type that we can see with command “set applications application TEST ?”.

rayka# set applications application TEST ?
Possible completions:
  application-protocol  Application protocol type
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  description          Text description of application
  destination-port     Match TCP/UDP destination port
  do-not-translate-A-query-to-AAAA-query  Knob to control the translation of A query to AAAA query
  do-not-translate-AAAA-query-to-A-query  Knob to control the translation of AAAA query to A query
  ether-type           Match ether type
  icmp-code            Match ICMP message code
  icmp-type            Match ICMP message type
  icmp6-code           Match ICMP6 message code
  icmp6-type           Match ICMP6 message type
  inactivity-timeout   Application-specific inactivity timeout (4..86400 seconds)
  protocol             Match IP protocol type
  rpc-program-number   Match range of RPC program numbers
  source-port          Match TCP/UDP source port
> term                 Define individual application protocols
  uuid                 Match universal unique identifier for DCE RPC objects
[edit]

the option term is used when there are more than one option to match an application. For example if a http application runs over both port 80 and 8080.

rayka# set applications application TEST term 1 ?
Possible completions:
  <[Enter]>            Execute this command
  alg                  Application Layer Gateway
  destination-port     Match TCP/UDP destination port
  icmp-code            Match ICMP message code
  icmp-type            Match ICMP message type
  icmp6-code           Match ICMP6 message code
  icmp6-type           Match ICMP6 message type
  inactivity-timeout   Application-specific inactivity timeout (4..86400 seconds)
  protocol             Match IP protocol type
  rpc-program-number   Match range of RPC program numbers
  source-port          Match TCP/UDP source port
  uuid                 Match universal unique identifier for DCE RPC objects
  |                    Pipe through a command
[edit]

Let’s also check once the list of protocols and application-protocol.

rayka# set applications application TEST protocol ?  
Possible completions:
  <number>             Numeric protocol value (1 .. 255) or 0 for any protocol
  ah                   IP Security authentication header
  egp                  Exterior gateway protocol
  esp                  IPSec Encapsulating Security Payload
  gre                  Generic routing encapsulation
  icmp                 Internet Control Message Protocol
  icmp6                Internet Control Message Protocol Version 6
  igmp                 Internet Group Management Protocol
  ipip                 IP in IP
  ospf                 Open Shortest Path First
  pim                  Protocol Independent Multicast
  rsvp                 Resource Reservation Protocol
  sctp                 Stream Control Transmission Protocol
  tcp                  Transmission Control Protocol
  udp                  User Datagram Protocol
[edit]

rayka# set applications application test application-protocol ?
Possible completions:
  dns                  Domain Name Service
  ftp                  File Transfer Protocol
  ftp-data             File Transfer Protocol Data Session
  gprs-gtp-c           GPRS Tunneling Control Plane
  gprs-gtp-u           GPRS Tunneling User Plane
  gprs-gtp-v0          GPRS Tunneling Version 0
  gprs-sctp            GPRS Stream Control Protocol
  http                 Hypertext Transfer Protocol
  https                Hypertext Transfer Protocol
  ignore               Ignore application type
  ike-esp-nat          IKE/ESP with NAT
  imap                 Internet Mail Access Protocol
  imaps                Internet Mail Access Protocol Over TLS
  mgcp-ca              MGCP-CA
  mgcp-ua              MGCP-UA
  ms-rpc               Microsoft RPC
  none                 None
  pop3                 Post Office Protocol 3 Protocol
  pop3s                Post Office Protocol 3 Protocol Over TLS
  pptp                 Point-to-Point Tunneling Protocol
  q931                 Q.931
  ras                  RAS
  realaudio            RealAudio
  rsh                  Remote Shell
  rtsp                 Real Time Streaming Protocol
  sccp                 Skinny Client Control Protocol
  sip                  Session Initiation Protocol
  smtp                 Simple Mail Transfer Protocol
  smtps                Simple Mail Transfer Protocol Over TLS
  sqlnet-v2            Oracle SQL*Net Version 2
  ssh                  Secure Shell Protocol
  sun-rpc              Sun Microsystems RPC
  talk                 Talk Program
  telnet               Telnet Protocol
  tftp                 Trivial File Transfer Protocol
  twamp                Two Way Active Meaurement Protocol
[edit]

Custom application Configuration Example

In this example, we create two custom applications, CUSTOM-WEB matching port 8080 instead of 80 and CUSTOM-SECURE-WEB matching port 8443 instead of port 443.

With “application-set”, exactly like “address-set” in address book we can match multiple application at once. Therefore instead of writing multiple lines in security policy to match multiple applications, we can match all those applications at once.

application-set CUSTOM-WEB-SET is created to match both CUSTOM-WEB and CUSTOM-SECURE-WEB.

rayka# run show configuration | display set | grep applications 
set applications application CUSTOM-WEB protocol tcp
set applications application CUSTOM-WEB destination-port 8080
set applications application CUSTOM-WEB inactivity-timeout 300
set applications application CUSTOM-SECURE-WEB protocol tcp
set applications application CUSTOM-SECURE-WEB destination-port 8443
set applications application-set CUSTOM-WEB-SET application CUSTOM-WEB
set applications application-set CUSTOM-WEB-SET application CUSTOM-SECURE-WEB

[edit]
rayka# 

rayka# show | compare 
[edit]
+  applications {
+      application CUSTOM-WEB {
+          protocol tcp;
+          destination-port 8080;
+          inactivity-timeout 300;
+      }
+      application CUSTOM-SECURE-WEB {
+          protocol tcp;
+          destination-port 8443;
+      }
+      application-set CUSTOM-WEB-SET {
+          application CUSTOM-WEB;
+          application CUSTOM-SECURE-WEB;
+      }
+  }

 And finally, let’s check how juniper standard applications or custom applications can be called in a security policy.

rayka# set security policies from-zone inside to-zone outside policy TEST match application ?
Possible completions:
  <applications>       Specify application or application-set name to match
  CUSTOM-SECURE-WEB    [applications application <*>]
  CUSTOM-WEB           [applications application <*>]
  CUSTOM-WEB-SET       [applications application-set <*>]
  [                    Open a set of values
  any                  [applications application <*>]
  junos-aol            [applications application <*>]
...

As you can see our custom applications and application-set is also available in this list of applications.

Back to: Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 > Junos Security Objects

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment