So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!
After adding the license you can now perform the following:
Install Application identification
request services application-identification download
Check the status:
- request services application-identification download status
Application package 1980 is installed successfully.
Create a Application Ruleset
All that is ahppening here is youtube is BLOCKED, everything else is allowed.
[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]
Add to a security policy:
There is now the 'application-firewall' settings to apply to policies ...
cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall Application firewall services
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
gprs-gtp-profile Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile Specify GPRS stream control protocol profile name
idp Intrusion detection and prevention
redirect-wx Set WX redirection
reverse-redirect-wx Set WX reverse redirection
> uac-policy Enable unified access control enforcement of policy
utm-policy Specify utm policy name
Example Policy:
[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]
TODO: Play with 'application-tracking'. Will update blog post once I have.
So it's that simple ... Application firewalling is now accross the whole SRX range ... win.