Junos OS. Application Tracking. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

(1)

Junos

®

OS

Application Tracking

Release

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Junos®OS Application Tracking 12.1X44-D10

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

(3)

List of Tables

About the Documentation . . . vii

Table 1: Notice Icons . . . ix Table 2: Text and Syntax Conventions . . . ix

Part 1 Overview

Chapter 1 Supported Features . . . 3

Table 3: Application Identification . . . 3

Part 3 Administration

Chapter 6 Operational Commands . . . 37

(6)

(7)

About the Documentation

• Documentation and Release Notes on page vii • Supported Platforms on page vii

• Using the Examples in This Manual on page vii • Documentation Conventions on page ix • Documentation Feedback on page xi • Requesting Technical Support on page xi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• SRX Series

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load merge relativecommand. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration.

(8)

If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following configuration to a file and name the file ex-script.conf. Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system { scripts { commit { file ex-script.xsl; } } } interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24; } } } }

2. Merge the contents of the file into your routing platform configuration by issuing the load mergeconfiguration mode command:

[edit]

user@host# load merge /var/tmp/ex-script.conf load complete

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform. For example, copy the following snippet to a file and name the file

ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.

commit {

file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command:

(9)

[edit]

user@host# edit system scripts [edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the load merge relativeconfiguration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf load complete

For more information about the load command, see the CLI User Guide.

Documentation Conventions

Table 1 on page ixdefines notice icons used in this guide.

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page ixdefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

(10)

Table 2: Text and Syntax Conventions (continued)

Convention

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute

• Introduces or emphasizes important new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name

domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

Italic text like this

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

(11)

Table 2: Text and Syntax Conventions (continued)

Convention

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical Documentation site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/ • Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

(12)

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

(13)

PART 1

Overview

(14)

(15)

CHAPTER 1

Supported Features

• Application Identification (Junos OS) on page 3

Application Identification (Junos OS)

Juniper Networks provides predefined application signatures that detect TCP and UDP applications running on nonstandard ports. Identifying these applications provides data for application tracking (AppTrack), Application Firewall (AppFW), Application QoS (AppQoS), and Application DDoS, and allows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applications running on nonstandard ports.

NOTE: The information inTable 3 on page 3refers to the Junos OS application identification module located in the services hierarchy.

Table 3: Application Identification

J Series SRX1400 SRX3400 SRX3600 SRX5600 SRX5800 SRX550 SRX650 SRX100 SRX110 SRX210 SRX220 SRX240 Feature No Yes No No

Application DDoS (AppDoS)

No Yes

Yes Yes

Application Firewall (AppFW)

No Yes

No No

Application QoS (AppQoS)

No Yes

Yes Yes

Application Tracking (AppTrack)

No Yes

Yes Yes

(16)

Table 3: Application Identification (continued)

J Series SRX1400 SRX3400 SRX3600 SRX5600 SRX5800 SRX550 SRX650 SRX100 SRX110 SRX210 SRX220 SRX240 Feature Yes (9010 bytes) Yes (9192 bytes) Yes SRX210, SRX220, and SRX240 only Jumbo frames No Yes Yes Yes

Nested application identification

No Yes

Yes Yes

Onbox application tracking statistics (AppTrack)

No Yes

Yes Yes

User role integration into AppTrack logs

CHAPTER 2

Application Tracking

• Understanding AppTrack on page 5

Understanding AppTrack

AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility.

AppTrack messages are similar to session logs and use syslog or structured syslog formats. The message also includes an application field for the session. If AppTrack identifies a custom-defined application and returns an appropriate name, the custom application name is included in the log message. (If the application identification process fails or has not yet completed when an update message is triggered, the message specifies none in the application field.)

(18)

When you want the initial update message to be sent earlier than the specified update interval, use the first-update-interval. The first-update-interval lets you enter a shorter interval for the first update only. Alternatively, you can generate the initial update message at session start by using the first-update option.

The close message updates the statistics for the last time and provides an explanation for the session closure. The following codes are used:

TCP RST—RST received from either end. TCP FIN—FIN received from either end.

Response received—Response received for a packet request (such as icmp req-reply). ICMP error—ICMP error received (such as dest unreachable).

Aged out—Session aged out. ALG—ALG closed the session. IDP—IDP closed the session.

Parent closed—Parent session closed. CLI—Session cleared by a CLI statement. Policy delete—Policy marked for deletion. Related

Documentation

• Application Tracking

• Example: Configuring AppTrack on page 9 • Disabling AppTrack on page 35

• Understanding Application Identification Techniques

(19)

PART 2

Configuration

(20)

(21)

CHAPTER 3

Application Tracking

• Example: Configuring AppTrack on page 9

• Example: Configuring Application Tracking When SSL Proxy Is Enabled on page 14

Example: Configuring AppTrack

This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.

• Requirements on page 9 • Overview on page 9 • Configuration on page 9 • Verification on page 12

Requirements

Before you configure AppTrack, it is important that you understand conceptual information about AppTrack and Junos OS application identification. See“Understanding AppTrack” on page 5and Understanding Junos OS Application Identification Database.

Overview

Application identification is enabled by default and is automatically turned on when you configure the AppTrack, AppFW, or IDP service. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility. STRM includes the support for AppTrack Reporting and includes several predefined search templates and reports

Configuration

This example shows how to enable application tracking for the security zone named trust. The first log message is to be generated when the session starts, and update messages should be sent every 4 minutes after that. A final message is sent at session end.

(22)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

NOTE: Changing the session-update-interval and the first-update-interval is not necessary in most situations. The commands are included in this example to demonstrate their use.

set security log format syslog

set security log stream stream-data host 5.0.0.1 set security log source-address 5.0.0.254

set security zones security-zone trust application- tracking set security application-tracking session-update-interval 4 set security application-tracking first-update

NOTE: On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if the syslog configuration does not specify a destination port, the default

destination port will be the syslog port. If you specify a destination port in the syslog configuration, then that port will be used instead

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration

Mode.

To configure AppTrack:

1. Configure the remote syslog device to receive Apptrack messages. [edit]

user@host# set security log format sd-syslog

user@host# set security log stream stream-data host 5.0.0.1 user@host# set security log source-address 5.0.0.254

2. Enable AppTrack for the security zone. [edit security]

user@host# set security zones security-zone trust application-tracking

3. (Optional) Generate update messages every 4 minutes. [edit security]

user@host# set application-tracking session-update-interval 4

The default interval between messages is 5 minutes. If a session starts and ends within this update interval, AppTrack generates one message at session close. However, if the session is long-lived, an update message is sent every 5 minutes. The session-update-interval minutes is configurable as shown in this step.

4. (Optional) Generate the first message when the session starts.

(23)

[edit security]

user@host# set application-tracking first-update

By default, the first message is generated after the first session update interval elapses. To generate the first message at a different time than this, use the first-updateoption (generate the first message at session start) or the

first-update-interval minutesoption (generate the first message after the specified minutes). For example, enter the following command to generate the first message one minute after session start.

[edit security]

user@host# set application-tracking first-update-interval 1

NOTE: The first-update option and the first-update-interval minutes option are mutually exclusive. If you specify both, the first-update-interval value is ignored.

Once the first message has been generated, an update message is generated each time the session update interval is reached.

Results From configuration mode, confirm your configuration by entering the show security and show security zonescommands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

[edit]

user@host# show security ... application-tracking { first-update; session-update-interval 4; } log { format sd-syslog; source-address 5.0.0.254; stream strm { host { 5.0.0.1; } } } ... [edit]

user@host# show security zones ...

security-zone trust { ...

(24)

application-tracking; }

If you are done configuring the device, enter commit from configuration mode.

Verification

Use the STRM product on the remote logging device to view the AppTrack log messages. To confirm that the configuration is working properly, you can also perform these tasks on the SRX Series device:

• Reviewing AppTrack Statistics on page 12 • Verifying AppTrack Operation on page 12

• Verifying Security Flow Session Statistics on page 12 • Verifying Application System Cache Statistics on page 13

• Verifying the Status of Application Identification Counter Values on page 13

Reviewing AppTrack Statistics

Purpose Review AppTrack statistics to view characteristics of the traffic being tracked. Action From operational mode, enter the show services application-identification statistics

applicationscommand.

user@host> show services application-identification statistics applications

Last Reset: 2012-02-14 21:23:45 UTC

Application Sessions Bytes Encrypted HTTP 1 2291 Yes HTTP 1 942 No SSL 1 2291 Yes unknown 1 100 No unknown 1 100 Yes

Verifying AppTrack Operation

Purpose View the AppTrack counters periodically to monitor logging activity.

Action From operational mode, enter the show security application-tracking counters command. user@host> show security application-tracking counters

AVT counters: Value Session create messages 1 Session close messages 1 Session volume updates 0 Failed messages 0

Verifying Security Flow Session Statistics

Purpose Compare byte and packet counts in logged messages with the session statistics from the show security flow session command output.

(25)

Action From operational mode, enter the show security flow session command. user@host> show security flow session

Flow Sessions on FPC6 PIC0:

Session ID: 120000044, Policy name: policy-in-out/4, Timeout: 1796, Valid In: 4.0.0.1/39075 --> 5.0.0.1/21;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 1032 Out: 5.0.0.1/21 --> 4.0.0.1/39075;tcp, If: ge-0/0/1.0, Pkts: 24, Bytes: 1442 Valid sessions: 1

Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Total sessions: 1

Byte and packet totals in the session statistics should approximate the counts logged by AppTrack but might not be exactly the same. AppTrack counts only incoming bytes and packets. System-generated packets are not included in the total, and dropped packets are not deducted.

Verifying Application System Cache Statistics

Purpose Compare cache statistics such as IP address, port, protocol, and service for an application from the show services application-identification application-system-cache command output.

Action From operational mode, enter the show services application-identification application-system-cachecommand.

Verifying the Status of Application Identification Counter Values

Purpose Compare session statistics for application identification counter values from the show services application-identification countercommand output.

Action From operational mode, enter the show services application-identification counter command.

Application Tracking •

• Understanding AppTrack on page 5 • Disabling AppTrack on page 35

• Understanding Application Identification Techniques

(26)

Example: Configuring Application Tracking When SSL Proxy Is Enabled

This example describes how AppTrack supports this AppID functionality when SSL proxy is enabled.

• Requirements on page 14 • Overview on page 14 • Configuration on page 14

Requirements

Before you begin:

• Create zones. See Example: Creating Security Zones.

• Create a SSL proxy profile that enables SSL proxy by means of a policy. See Example:

Creating a Configuration Workflow for SSL Proxy.

Overview

You can configure AppTrack either in the to or from zones. This example shows how to configure AppTrack in a to zone in a policy rule when SSL proxy is enabled.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security zones security-zone Z_1 application-tracking

set security policies from-zone Z_1 to-zone Z_2 policy policy1 match source-address any set security policies from-zone Z_1 to-zone Z_2 policy policy1 match destination-address

any

set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit application-services ssl-proxy profile-name ssl-profile-1

set security policies from-zone Z_1 to-zone Z_2 policy policy1 then permit Step-by-Step

Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration

Mode.

In this example, you configure a security policy that uses IDP as the application service.

1. Configure application tracking in a to-zone (you can also configure using a from-zone).

[edit security policies

user@host# set security zones security-zone Z_1 application-tracking

2. Configure SSL proxy profile.

[edit security policies from-zone Z_1 to-zone Z_2 policy policy1 set match source-address any

(27)

set match destination-address any set match application junos-https

set then permit application-services ssl-proxy profile-name ssl-profile-1 set then permit

Results From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the

configuration instructions in this example to correct it.

Verification

Verify that the configuration is working properly. Verification in AppTrack works similar to verification in AppFW. See the verification section of Example: Configuring Application

Firewall When SSL Proxy Is Enabled.

• SSL Proxy Overview

• Application Firewall, IDP, and Application Tracking with SSL Proxy Overview • Understanding Security Policy Elements

• Security Policies Configuration Overview • Example: Configuring AppTrack on page 9

(28)

(29)

CHAPTER 4

Configuration Statements

• [edit security application-tracking] Hierarchy Level on page 17 • application-tracking on page 18

• disable (Application Tracking) on page 18 • first-update on page 19

• first-update-interval on page 19 • session-update-interval on page 20

• [edit security log] Hierarchy Level on page 20 • format (Security Log) on page 22

• log (Security) on page 23

• stream (Security Log) on page 25

• [edit security zones] Hierarchy Level on page 25 • application-tracking (Security Zones) on page 27 • security-zone on page 28

• zones on page 30

[edit security application-tracking] Hierarchy Level

security {

application-tracking { disable;

(first-update | first-update-interval first-update-interval); session-update-interval session-update-interval; } } Related Documentation Application Tracking •

(30)

application-tracking

Syntax application-tracking { disable;

(first-update | first-update-interval first-update-interval); session-update-interval session-update-interval;

}

Hierarchy Level [edit security]

Release Information Statement introduced in Release 10.2 of Junos OS; support for disable added in Release 11.4 of Junos OS.

Description AppTrack, an application tracking tool, is a form of statistical profiling. Enabling this feature for a zone logs flow statistics (the byte count, packet count, and start and end times for a session) at session end. You can modify the logging time and log frequency with command options. Periodically, a network management tool, such as STRM, collects the logged statistics sent by each network device for bandwidth usage analysis of the network.

Options The remaining statements are explained separately. Required Privilege

Level

security—To view this statement in the configuration. security-control—To add this statement to the configuration. Related

Documentation

• Logical Systems for Security Devices

disable (Application Tracking)

Syntax disable;

Hierarchy Level [edit security application-tracking]

Release Information Statement introduced in Release 11.4 of Junos OS.

Description Disable application tracking on a device without deleting the zone configuration. Application tracking is enabled by default.

Required Privilege Level

Documentation

(31)

first-update

Syntax first-update;

Hierarchy Level [edit security application-tracking]

Description Generate an AppTrack start message when a new session begins. (A final message is produced at session end with any option.) This option overrides the first-update-interval option if both are specified.

Documentation

first-update-interval

Syntax first-update-interval first-update-interval; Hierarchy Level [edit security application-tracking]

Description For long-lived sessions being monitored by AppTrack, configure this value to issue the first update message after a specified number of minutes.

NOTE:The first-update-interval setting is disregarded if the first-update option is set to log the first message at session start.

Options minutes—Maximum number of minutes after session start for the first update message to be sent. This value must be smaller than the session-update-interval setting. Default: 1

Documentation

(32)

session-update-interval

Syntax session-update-interval session-update-interval; Hierarchy Level [edit security application-tracking]

Description Configure the interval between session update messages for long-lived sessions being monitored by AppTrack. Byte count, packet count, and start and end times are updated and logged when the amount of time between session start or the previous update and the current time exceeds the interval.

Options session-update-interval—Minutes between updates. Default: 5

Documentation

[edit security log] Hierarchy Level

security { log { cache { exclude exclude-name { destination-address destination-address; destination-port destination-port; event-id event-id; failure; interface-name interface-name; policy-name policy-name; process process-name; protocol protocol; source-address source-address; source-port source-port; success; user-name user-name; } limit value; } disable; event-rate rate; file { files max-file-number; name file-name; path binary-log-file-path; size maximum-file-size; }

format (binary | sd-syslog | syslog);

(33)

mode (event | stream);

source-address source-address; stream stream-name {

category (all | content-security);

format (binary | sd-syslog | syslog | welf); host {

ip-address;

port port-number; }

severity (alert | critical | debug | emergency | error | info | notice | warning); } traceoptions { file { file-name; files max-file-number; match regular-expression; (no-world-readable | world-readable); size maximum-file-size; } flag flag; no-remote-trace; } utc-time-stamp; } } Related Documentation

Log File Formats •

• Master Administrator for Logical Systems on Security Devices

(34)

format (Security Log)

Syntax format (binary |sd-syslog | syslog) Hierarchy Level [edit security log]

Release Information Statement introduced in a release of Junos OS prior to Release 10.0. Updated in Release 12.1 of Junos OS.

Description Set the default log format for event mode security logging on the device. Options • binary—Binary encoded text to conserve resources.

• sd-syslog—Structured system log file.

• syslog—Traditional system log file.

Documentation

• System Log Messages • Application Tracking

(35)

log (Security)

Syntax log { cache { exclude exclude-name { destination-address destination-address; destination-port destination-port; event-id event-id; failure; interface-name interface-name; policy-name policy-name; process process-name; protocol protocol; source-address source-address; source-port source-port; success; user-name user-name; } limit value; } disable; event-rate rate; file { files max-file-number; name file-name; path binary-log-file-path; size maximum-file-size; }

format (binary | sd-syslog | syslog); mode (event | stream);

rate-cap rate-cap-value; source-address source-address; stream stream-name {

category (all | content-security);

format (binary | sd-syslog | syslog | welf); host {

ip-address;

port port-number; }

severity (alert | critical | debug | emergency | error | info | notice | warning); } traceoptions { file { filename; files number; match regular-expression; size maximum-file-size; (world-readable | no-world-readable); } flag flag; no-remote-trace; } utc-time-stamp;

(36)

Release Information Statement introduced in Release 9.2 of Junos OS

Description You can set the mode of logging (event for traditional system logging or stream for streaming security logs through a revenue port to a server). You can also specify all the other parameters for security logging.

Options • disable—Disable the security logging for the device.

• event-rate rate—Limits the rate (0 through 1500) at which logs will be streamed per second.

• rate-cap rate-cap-value—Works with event mode only. Limits the rate (0 through 5000) at which data plane logs will be generated per second.

• source-address source-address—Specify a source IP address or IP address used when exporting security logs.

• utc-time-stamp— Specify to use UTC time for security log timestamps. The remaining statements are explained separately.

Documentation

• Log File Formats • Application Tracking

• Master Administrator for Logical Systems on Security Devices

(37)

stream (Security Log)

Syntax stream stream-name {

category (all | content-security)

format (binary | sd-syslog | syslog | welf) host {

<ipaddr> ip-address; port port-number; }

severity (alert | critical | debug | emergency | error | info | notice | warning); }

Hierarchy Level [edit security log]

Release Information Statement modified in Release 9.2 of Junos OS.

Description Set stream settings for a security log. You can set a maximum of three streams. Options The remaining statements are explained separately.

Documentation

[edit security zones] Hierarchy Level

security { zones { functional-zone { management { description text; host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } } screen screen-name;

(38)

} security-zone zone-name { address-book { address address-name { ip-prefix { description text; } description text; dns-name domain-name { ipv4-only; ipv6-only; }

range-address lower-limit to upper-limit; wildcard-address ipv4-address/wildcard-mask; } address-set address-set-name { address address-name; address-set address-set-name; description text; } } application-tracking; description text; host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } } screen screen-name; tcp-rst; } } } Related Documentation Application Tracking •

• Security Zones and Interfaces for Security Devices • Logical Systems for Security Devices

• Unified Access Control Solution for Security Devices

(39)

application-tracking (Security Zones)

Syntax application-tracking;

Hierarchy Level [edit security zones security-zone zone-name] Release Information Statement introduced in Junos OS Release 10.2.

Description Enable application tracking support for the zone. Required Privilege

Level

Documentation

• Security Zones and Interfaces for Security Devices

(40)

security-zone

Syntax security-zone zone-name { address-book { address address-name { ip-prefix { description text; } description text; dns-name domain-name { ipv4-only; ipv6-only; }

range-address lower-limit to upper-limit; wildcard-address ipv4-address/wildcard-mask; } address-set address-set-name { address address-name; address-set address-set-name; description text; } } application-tracking; description text; host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } } screen screen-name; tcp-rst; }

Hierarchy Level [edit security zones]

Release Information Statement introduced in Release 8.5 of Junos OS. Support for wildcard addresses added in Release 11.1 of Junos OS. The description option added in Release 12.1 of Junos OS. Description Define a security zone, which allows you to divide the network into different segments

and apply different security options to each segment.

(41)

Options zone-name—Name of the security zone.

The remaining statements are explained separately. Required Privilege

Level

Documentation

• Ethernet Port Switching for Security Devices • Layer 2 Bridging and Switching for Security Devices

• Layer 2 Bridging and Transparent Mode for Security Devices • Application Tracking

(42)

zones

Syntax zones { functional-zone { management { description text; host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } } screen screen-name; } } security-zone zone-name { address-book { address address-name { ip-prefix { description text; } description text; dns-name domain-name { ipv4-only; ipv6-only; }

range-address lower-limit to upper-limit; wildcard-address ipv4-address/wildcard-mask; } address-set address-set-name { address address-name; address-set address-set-name; description text; } } application-tracking; description text; host-inbound-traffic { protocols protocol-name { except; } system-services service-name {

(43)

except; } } interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; } system-services service-name { except; } } } screen screen-name; tcp-rst; } }

Release Information Statement introduced in Junos OS Release 8.5. Support for wildcard addresses added in Junos OS Release 11.1. The description option added in Junos OS Release 12.1. Description A zone is a collection of interfaces for security purposes. All interfaces in a zone are

equivalent from a security point of view. Configure the following zones:

• Functional zone—Special-purpose zone, such as a management zone that can host dedicated management interfaces.

• Security zone—Most common type of zone that is used as a building block in policies.

Options The remaining statements are explained separately. Required Privilege

Level

Documentation

• Security Zones and Interfaces for Security Devices • Logical Systems for Security Devices

(44)

(45)

PART 3

Administration

(46)

(47)

CHAPTER 5

Application Tracking

• Disabling AppTrack on page 35

Disabling AppTrack

Application tracking is enabled by default. You can disable application tracking without deleting the zone configuration.

To disable application tracking:

user@host# set security application-tracking disable

If application tracking has been previously disabled and you want to reenable it, delete the configuration statement that specifies disabling of application tracking:

user@host# delete security application-tracking disable

If you are finished configuring the device, commit the configuration.

To verify the configuration, enter the show security application-tracking command. Related

Documentation

• Understanding AppTrack on page 5 • Example: Configuring AppTrack on page 9

(48)

(49)

CHAPTER 6

Operational Commands

(50)

show security application-tracking counters

Syntax show security application-tracking counters Release Information Command introduced in Release 10.2 of Junos OS.

Description Display the status of AppTrack counters. Required Privilege Level view Related Documentation Application Tracking •

• Logical Systems for Security Devices

Output Fields Table 4 on page 38lists the output fields for the show security application-tracking counters command. Output fields are listed in the approximate order in which they appear.

Table 4: show security application-tracking counters

Field Description Field Name

The number of log messages generated when a session was created. Session create messages

The number of log messages generated when a session was closed. Session close messages

The number of log messages generated when an update interval was exceeded. Session volume updates

The number of messages that were not generated due to memory or session constraints. Failed messages

Sample Output

show security application-tracking counters

user@host> show security application-tracking counters AVT counters: Value

Session create messages 0

Session close messages 0

Session volume updates 0

Failed messages 0

(51)

PART 4

Index

(52)

(53)

Index

Symbols

#, comments in configuration statements...x

( ), in syntax descriptions...x

< >, in syntax descriptions...x

[ ], in configuration statements...x

{ }, in configuration statements...x

| (pipe), in syntax descriptions...x

A

application identification...3 disable...35 support table...3 application tracking AppTrack...5 application-tracking statement...18 zones...27 AppTrack...9 application tracking...5

AppTrack with ssl proxy...14

B

braces, in configuration statements...x

brackets angle, in syntax descriptions...x

square, in configuration statements...x

C

comments, in configuration statements...x

conventions text and syntax...ix

curly braces, in configuration statements...x

customer support...xi contacting JTAC...xi

D

documentation comments on...xi

F

first-update statement...19 font conventions...ix

format statement, first use...22

L

log statement (Security Logging)...23

M

manuals comments on...xi

P

parentheses, in syntax descriptions...x

S

security-zone statement...28

session-update-interval statement...20

show security application-tracking counters command...38

ssl proxy application tracking...14

stream security log...25

(54)

Junos OS. Application Tracking. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

Junos

®

OS

Application Tracking

Table of Contents

Part 1

Overview

Part 2

Configuration

Part 3

Administration

Part 4

Index

List of Tables

Part 1

Overview

Part 3

Administration

About the Documentation

Documentation and Release Notes

Supported Platforms

Using the Examples in This Manual

Merging a Full Example

Merging a Snippet

Documentation Conventions

Table 1: Notice Icons

Table 2: Text and Syntax Conventions

Table 2: Text and Syntax Conventions (continued)

Table 2: Text and Syntax Conventions (continued)

Documentation Feedback

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

PART 1

Overview

CHAPTER 1

Supported Features

Application Identification (Junos OS)

Table 3: Application Identification

Table 3: Application Identification (continued)

CHAPTER 2

Application Tracking

Understanding AppTrack

PART 2

Configuration

CHAPTER 3

Application Tracking

Example: Configuring AppTrack

Requirements

Overview

Configuration

Verification

Example: Configuring Application Tracking When SSL Proxy Is Enabled

Requirements

Overview

Configuration

CHAPTER 4

Configuration Statements

[edit security application-tracking] Hierarchy Level

application-tracking

disable (Application Tracking)

first-update

first-update-interval

session-update-interval

[edit security log] Hierarchy Level

format (Security Log)

log (Security)

stream (Security Log)

[edit security zones] Hierarchy Level

application-tracking (Security Zones)

security-zone

zones

PART 3

Administration

CHAPTER 5

Application Tracking

Disabling AppTrack

CHAPTER 6

Operational Commands