Juniper SRX application firewall provides the capability to control traffic at application layer.
In the traditional firewall that we have configured so far, we have had the ability to control traffic only at Layer 3 and Layer 4.
Application layer traffic control is possible using application signatures prepared by Juniper.
Application Firewall Fundamental
In the past, when we allowed HTTP or HTTPS through traditional firewall, user could only browse internet webpages.
But today mostly all applications are running over HTTP and HTTPS protocols. For example social media applications, online TV, video on demand streaming, chat applications, voice and video call and many other application are running over HTTP and HTTPS protocols.
Therefore just with a traditional firewall, which control traffic at layer 3 and layer 4, you are not able to control theses complex applications.
With application firewall, for each application a special signature is configured which looks at application layer header and data information.
With application signatures, we are able to identify applications, regardless of the operating system or platform on which those applications run.
For example, it doesn’t matter if you’re making a Google Meet video call over web browser, through the application client, or through mobile apps. Application signatures must be able to recognize this application.
Juniper SRX Application Firewall Configuration
Enable, Download and Install application firewall signatures
To enable application firewall , first we have to install application identification feature license.
With command “request system license add terminal”, we can add the license to enable application firewall.
[email protected]> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] JUNOS123456 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff JUNOS123456: successfully added add license complete (no errors)
With command “show system license”, you can make sure that “appid-sig” signature license is valid on your SRX device.
rayka# run show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed anti_spam_key_sbl 0 1 0 30 days idp-sig 0 1 0 30 days appid-sig 1 1 0 29 days av_key_sophos_engine 0 1 0 30 days wf_key_websense_ewf 0 1 0 30 days Virtual Appliance 1 1 0 39 days remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanent ...
Then you are ready to download application signatures from juniper website.
With command “request services application-identification download”, you can download application signatures from juniper website.
With adding “status” keyword, at the end of above command, the status of download will be shown.
rayka# run request services application-identification download Please use command "request services application-identification download status" to check download status  rayka# run request services application-identification download status Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/ApplicationGroups/3515/application_groups2.xml.gz  rayka# run request services application-identification download status Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/Applications/3515/applications2.xml.gz  rayka# run request services application-identification download status Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/280/Libqmprotocols/1.530.2-40/libqmprotocols.tgz  rayka# run request services application-identification download status Downloading application package 3515 succeeded.
Then with command “request services application-identification install”, you can install downloaded application signatured into the device.
With adding “status” at the end of the above command, the status of installation will be displayed.
 rayka# run request services application-identification install Please use command "request services application-identification install status" to check install status  rayka# run request services application-identification install status Checking compatibility of application package version 3515 ...  rayka# run request services application-identification install status Cleaning up legacy configurations in Junos configuration ...  rayka# run request services application-identification install status Installed Application package (3515) and Protocol bundle successfully
apply Juniper SRX Application Firewall in Unified Security Policy
Starting from Junos version 18.2.R1, you can use application policy and traditional policy in the same command set which is call “unified security policy”.
To inspect a traffic in application layer, you have to just “match dynamic-application” in your security policy.
As an example if you match “match dynamic-application junos:google”, you will see that a long list of google applications can be configured. Between them there are google maps and google photos and many other applications.
rayka# set security policies from-zone inside to-zone outside policy TEST match dynamic-application ? Possible completions: <system-applications> Specify dynamic application or dynamic application group to match [ Open a set of values any Any dynamic application junos:01NET 01net website, a French high-tech news site. junos:050PLUS 050 plus is a Japanese embedded smartphone application dedicated to audio-conferencing. junos:0ZZ0 0zz0 is an online solution to store, send and share files junos:10050NET China Railcom group web portal. ....
rayka# set security policies from-zone inside to-zone outside policy TEST match dynamic-application junos:google ^ 'junos:google' is ambiguous. Possible completions: <system-applications> Specify dynamic application or dynamic application group to match junos:GOOGLE This signature detects SSL connections to Google.com. Google is a company best known for their search engine but offers many clo junos:GOOGLE-ACCOUNTS This signature detects SSL access to the Google Accounts server. A Google Account is a user account that provides access to Goog junos:GOOGLE-ADS This signature detects SSL access to DoubeClick. DoubleClick is an advertisement service that was purchased by Google in 2007. junos:GOOGLE-ANALYTICS-TRACKING This signature detects Google Analytics Tracking. junos:GOOGLE-API Google APIs is a set of application programming interfaces (APIs) developed by Google which allow communication with Google Serv junos:GOOGLE-APPENGINE Google App Engine is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications in Goog junos:GOOGLE-BLOG blog.google is the public blog of Google (products, news, ...). junos:GOOGLE-BOOKS On-line file storage and sharing web-service by Google. Important: most of the traffic is encrypted with generic Google certific ...
junos:GOOGLEBOT Web crawler (spider) used by the Google Search engine. This plug-in will classify the bot HTTP requests, but the ixEngine won't junos:GOOGLETALK This signature detects the Google Talk client using the Jabber (XMPP) protocol.
For each application you can see the detail of application signature with the command “show services application-identification application detail”.
rayka# run show services application-identification application detail junos:GOOGLE-MAPS Application Name: junos:GOOGLE-MAPS Application type: GOOGLE-MAPS Description: Google Maps can be used to calculate routes and to look at maps. The encrypted traffic is classified as google. This plug-in also classifies the traffic destined to the Google Location service or third-party applications using its API, to locate a device. Application ID: 57 Priority: high Order: 0 Disabled: No Cacheable: No Configurable: Yes Activation Date: 2008-05-20 Last Modified: 2020-09-21 Number of Parent Group(s): 1 Application Groups: junos:web Application Tags: group-tags : web group-tags : map-service group-tags : aetls risk : 2 subcategory : miscellaneous category : Web Underlying consolidated Protocols/ports application is dependent on: Protocols: Protocol: junos:WINDOWS-AZURE / 1288 Protocol: junos:UDP / 216 Protocol: junos:TCP / 205 ...
URL filtering based on application Firewall
With application signatures, the is also another important capability that you can filter websites or URLs based on their category.
To see the list of category, you need to match based on URL category with the command “match url-category ?”
rayka# set security policies from-zone inside to-zone outside policy TEST match url-category ? Possible completions: <custom-category> Specify name of url category to match <system-category> Specify name of url category to match Enhanced_Abortion Enhanced_Abused_Drugs Enhanced_Adult_Content Enhanced_Adult_Material Enhanced_Advanced_Malware_Command_and_Control Enhanced_Advanced_Malware_Payloads Enhanced_Advertisements Enhanced_Advocacy_Groups Enhanced_Alcohol_and_Tobacco Enhanced_Alternative_Journals Enhanced_Application_and_Software_Download Enhanced_Bandwidth ... Enhanced_Web_and_Email_Marketing Enhanced_Web_and_Email_Spam Enhanced_Website_Translation [ Open a set of values any Any url category none Not apply the url category
Control HTTPS Traffic
Probably you notice that when you implement application firewall I the juniper SRX, it does not work for most applications.
This is because most applications run over HTTPS which are encrypted and it is not easy to detect if it is a google map or google earth application running over HTTPS.
To resolve the problem , we have to configure SSL proxy in juniper SRX device which allows to decrypt and control the traffic before they are delivered to the clients on the network.
This is not the discussion of this section.