Juniper SRX application firewall provides the capability to control traffic at application layer.

In the traditional firewall that we have configured so far, we have had the ability to control traffic only at Layer 3 and Layer 4.

Application layer traffic control is possible using application signatures prepared by Juniper.

Application Firewall Fundamental

In the past, when we allowed HTTP or HTTPS through traditional firewall, user could only browse internet webpages.

modern versus traditional applications and juniper SRX Application Firewall
modern versus traditional applications and juniper SRX Application Firewall

But today mostly all applications are running over HTTP and HTTPS protocols. For example social media applications, online TV, video on demand streaming,  chat applications, voice and video call and many other application are running over HTTP and HTTPS protocols.

Therefore just with a traditional firewall, which control traffic at layer 3 and layer 4, you are not able to control theses complex applications.

With application firewall, for each application a special signature is configured which looks at application layer header and data information.

With application signatures, we are able to identify applications, regardless of the operating system or platform on which those applications run.

For example, it doesn’t matter if you’re making a Google Meet video call over web browser, through the application client, or through mobile apps. Application signatures must be able to recognize this application.

Juniper SRX Application Firewall Configuration

Enable, Download and Install application firewall signatures

To enable application firewall , first we have to install application identification feature license.

With command “request system license add terminal”, we can add the license to enable application firewall.

user@vsrx> request system license add terminal
 
[Type ^D at a new line to end input, 
 enter blank line between each license key] 

JUNOS123456  aaaaaa bbbbbb cccccc dddddd eeeeee ffffff 
      cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa 
      aaaaaa bbbbbb cccccc dddddd eeeeee ffffff 
      cccccc bbbbbb dddddd aaaaaa ffffff

JUNOS123456: successfully added 
add license complete (no errors)

With command “show system license”, you can make sure that “appid-sig” signature license is valid on your SRX device.

rayka# run show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  anti_spam_key_sbl                     0            1           0    30 days
  idp-sig                               0            1           0    30 days
  appid-sig                             1            1           0    29 days
  av_key_sophos_engine                  0            1           0    30 days
  wf_key_websense_ewf                   0            1           0    30 days
  Virtual Appliance                     1            1           0    39 days
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent
...

Then you are ready to download application signatures from juniper website.

With command “request services application-identification download”, you can download application signatures from juniper website.

With adding “status” keyword, at the end of above command, the status of download will be shown.

rayka# run request services application-identification download                  
Please use command
        "request services application-identification download status" to check download status

[edit]
rayka# run request services application-identification download status 
Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/ApplicationGroups/3515/application_groups2.xml.gz

[edit]
rayka# run request services application-identification download status    
Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/Applications/3515/applications2.xml.gz

[edit]
rayka# run request services application-identification download status    
Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/Libqmprotocols/1.530.2-40/libqmprotocols.tgz

[edit]
rayka# run request services application-identification download status    
Downloading application package 3515 succeeded.

Then with command “request services application-identification install”, you can install downloaded application signatured into the device.

With adding “status” at the end of the above command, the status of installation will be displayed.

[edit]
rayka# run request services application-identification install            
Please use command
        "request services application-identification install status" to check install status

[edit]
rayka# run request services application-identification install status 
Checking compatibility of application package version 3515 ...

[edit]
rayka# run request services application-identification install status    
Cleaning up legacy configurations in Junos configuration ...

[edit]
rayka# run request services application-identification install status    
Installed
        Application package (3515) and Protocol bundle successfully

apply Juniper SRX Application Firewall in Unified Security Policy

Starting from Junos version 18.2.R1, you can use application policy and traditional policy in the same command set which is call “unified security policy”.

To inspect a traffic in application layer, you have to just “match dynamic-application” in your security policy.

As an example if you match “match dynamic-application junos:google”, you will see that a long list of google applications can be configured. Between them there are google maps and google photos and many other applications.

rayka# set security policies from-zone inside to-zone outside policy TEST match dynamic-application ?
Possible completions:
  <system-applications>  Specify dynamic application or dynamic application group to match
  [                    Open a set of values
  any                  Any dynamic application
  junos:01NET          01net website, a French high-tech news site.
  junos:050PLUS        050 plus is a Japanese embedded smartphone application dedicated to audio-conferencing.
  junos:0ZZ0           0zz0 is an online solution to store, send and share files
  junos:10050NET       China Railcom group web portal.
  ....
rayka# set security policies from-zone inside to-zone outside policy TEST match dynamic-application junos:google
                                                                                                                ^
'junos:google' is ambiguous.
Possible completions:
  <system-applications>  Specify dynamic application or dynamic application group to match
  junos:GOOGLE         This signature detects SSL connections to Google.com. Google is a company best known for their search engine but offers many clo
  junos:GOOGLE-ACCOUNTS  This signature detects SSL access to the Google Accounts server. A Google Account is a user account that provides access to Goog
  junos:GOOGLE-ADS     This signature detects SSL access to DoubeClick. DoubleClick is an advertisement service that was purchased by Google in 2007.
  junos:GOOGLE-ANALYTICS-TRACKING  This signature detects Google Analytics Tracking.
  junos:GOOGLE-API     Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Serv
  junos:GOOGLE-APPENGINE  Google App Engine is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications in Goog
  junos:GOOGLE-BLOG    blog.google is the public blog of Google (products, news, ...).
  junos:GOOGLE-BOOKS   On-line file storage and sharing web-service by Google. Important: most of the traffic is encrypted with generic Google certific
...
  junos:GOOGLEBOT Web crawler (spider) used by the Google Search engine. This plug-in will classify the bot HTTP requests, but the ixEngine won't   junos:GOOGLETALK This signature detects the Google Talk client using the Jabber (XMPP) protocol.

For each application you can see the detail of application signature with the command “show services application-identification application detail”.

rayka# run show services application-identification application detail junos:GOOGLE-MAPS               
Application Name: junos:GOOGLE-MAPS                                           
Application type: GOOGLE-MAPS                                                 
Description: Google Maps can be used to calculate routes and to look at maps. The encrypted traffic is classified as google. This plug-in also classifies
             the traffic destined to the Google Location service or third-party applications using its API, to locate a device.
Application ID: 57      
Priority: high    
Order: 0       
Disabled: No                 
Cacheable: No   
Configurable: Yes  
Activation Date: 2008-05-20      
Last Modified: 2020-09-21      
Number of Parent Group(s): 1      
Application Groups:
    junos:web                                    
Application Tags:
    group-tags            : web                                               
    group-tags            : map-service                                       
    group-tags            : aetls                                             
    risk                  : 2                                                 
    subcategory           : miscellaneous                                     
    category              : Web                                               
Underlying consolidated Protocols/ports application is dependent on:
    Protocols:
        Protocol: junos:WINDOWS-AZURE / 1288       
        Protocol: junos:UDP   / 216        
        Protocol: junos:TCP   / 205        
...

URL filtering based on application Firewall

With application signatures, the is also another important capability that you can filter websites or URLs based on their category.

To see the list of category, you need to match based on URL category with the command “match url-category ?

rayka# set security policies from-zone inside to-zone outside policy TEST match url-category ?
Possible completions:
  <custom-category>    Specify name of url category to match
  <system-category>    Specify name of url category to match
  Enhanced_Abortion    
  Enhanced_Abused_Drugs  
  Enhanced_Adult_Content  
  Enhanced_Adult_Material  
  Enhanced_Advanced_Malware_Command_and_Control  
  Enhanced_Advanced_Malware_Payloads  
  Enhanced_Advertisements  
  Enhanced_Advocacy_Groups  
  Enhanced_Alcohol_and_Tobacco  
  Enhanced_Alternative_Journals  
  Enhanced_Application_and_Software_Download  
  Enhanced_Bandwidth   
  ...
  Enhanced_Web_and_Email_Marketing  
  Enhanced_Web_and_Email_Spam  
  Enhanced_Website_Translation  
  [                    Open a set of values
  any                  Any url category
  none                 Not apply the url category

Control HTTPS Traffic

Probably you notice that when you implement application firewall I the juniper SRX, it does not work for most applications.

This is because most applications run over HTTPS which are encrypted and it is not easy to detect if it is a google map or google earth application running over HTTPS.

To resolve the problem , we have to configure SSL proxy in juniper SRX device which allows to decrypt and control the traffic before they are delivered to the clients on the network.

This is not the discussion of this section.

Back to: Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 > Security Policies

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment