Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-APR | 56.99 KB |
This help contains the following topics:
¡ PBAR
¡ NBAR
¡ Configure an application group
Introduction
The application recognition (APR) feature recognizes application protocols of packets for application-based services received on or sent out of ports and collects quantity and transmit rate statistics.
APR uses the following methods to recognize an application protocol:
· Port-based application recognition (PBAR).
· Network-based application recognition (NBAR).
Application protocols in this help are application protocols that can be recognized by APR. Applications are predefined or user-defined.
PBAR
PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.
PBAR supports the following port-protocol mappings:
· Predefined—An application protocol uses the port defined by the system.
· User-defined—An application protocol uses the port defined by the user.
PBAR offers the following mappings to maintain and apply user-defined port configuration:
· General port mapping—Maps a user-defined port to an application protocol. All packets destined for that port are regarded as packets of the application protocol. For example, if port 2121 is mapped to FTP, all packets destined for that port are regarded as FTP packets.
· Host-port mapping—Maps a user-defined port to an application protocol for packets to or from some specific hosts. For example, you can establish a host-port mapping so that all packets destined for the network segment 10.110.0.0/16 on port 2121 are regarded as FTP packets. To define the range of the hosts, you can specify the ACL, the host IP address range, or the subnet.
NBAR
|
|
A license is required for APR signature library update. After the license expires, NBAR can still use the existing signature library but cannot update the signature library. For information about licenses, see license management online help. |
NBAR uses predefined or user-defined NBAR rules to match packet contents to recognize the application protocols of matching packets.
In the current software version, only predefined NBAR rules are supported, and they are not configurable.
Application group
You can add application protocols that have similar signatures or restrictions to an application group. APR recognizes packets of the application protocols by matching the packet contents with the signatures or restrictions. If a packet is recognized as the packet of an application protocol in the application group, the packet is considered to be a packet of the application group.
An application group can contain multiple predefined and user-defined applications.
Restrictions and guidelines
Before using the APR feature, update the APR signature library to the latest version.
Configure APR
Configure an application
You can create and modify user-defined applications for PBAR on the Applications page.
Port mapping categories
The following port mapping categories are available for PBAR:
· General port mapping—Maps a user-defined port to an application protocol. All packets destined for that port are regarded as packets of the application protocol. For example, if port 2121 is mapped to FTP, all packets destined for that port are regarded as FTP packets.
· ACL-based host-port mapping—Maps a port to an application protocol for the packets matching the specified ACL.
· Subnet-based host-port mapping—Maps a port to an application protocol for the packets sent to the specified subnet. If multiple subnet-based mappings are applied to packets and these subnets overlap, PBAR matches the packets destined for the overlapped segment with the port mapping of the subnet that has the smallest range.
· IP address-based host-port mapping—Maps a port to an application protocol for the packets destined for the specified IP addresses.
Create a port mapping
1. Click the Objects tab.
2. Select APPSecurity > App Recognition > Applications.
3. Click Create to create an application.
4. Enter a name for the application, and select risk types. The device calculates a risk level based on the specified risk types.
5. Click Create in the Port mappings area.
6. Create a port mapping for the application.
Table 1 Port mapping configuration items
|
Item |
Description |
|
Port number |
Enter the number of a port to which the application is mapped. |
|
Protocol |
Select a transport layer protocol. Possible values include All, DCCP, SCTP, TCP, UDP, and UDP-Lite. If All is selected, packets that meet the following conditions are recognized as the specified application protocol's packets: · Packets are encapsulated by any transport layer protocol. · Packets have the specified port. |
|
Type |
Select a match type from the following values: · All, representing general port mapping. · IPv4 address-based host-port mapping. · IPv6 address-based host-port mapping. · IPv4 subnet-based host-port mapping. · IPv6 subnet-based host-port mapping. · IPv4 ACL-based host-port mapping. · IPv6 ACL-based host-port mapping. |
|
Match criteria |
· Enter an IP address range if IP address-based host-port mapping was selected earlier. · Enter an IP subnet if subnet-based host-port mapping was selected earlier. Enter an ACL if ACL-based host-port mapping was selected earlier. |
|
Select a VRF instance. |
7. Click OK.
You can create multiple port mappings for an application. PBAR selects a port mapping to recognize the application protocol of a packet in the following order:
a. IP address-based port mapping.
b. Subnet-based port mapping.
c. ACL-based host-port mapping.
d. General port mapping.
8. Click OK on the Create Application page.
On the Applications page, select Show user-defined applications only to verify the configuration.
Edit a predefined application
1. Click the Objects tab.
2. Select APPSecurity > App Recognition > Applications.
3. Select a predefined application, and click Edit on the right side.
4. Follow the step described in "Configure an application" to add port mappings for the application.
After editing, the newly added port-mappings take effect immediately. A packet that matches a newly added port-mapping can be recognized as the packet of the application.
Configure an application group
You can add applications that have similar characteristics or limitations to an application group.
Procedure
1. Click the Objects tab.
2. Select APPSecurity > App Recognition > Application Groups.
3. Click Create.
4. Create an application group.
Table 2 Application group configuration items
|
Item |
Description |
|
Group |
Enter a name for the application group. |
|
Description |
Enter a description for identification and management purposes. |
|
Category |
Select categories to filter desired applications. |
|
Risk type |
Select risk types to filter desired applications. |
|
Risk level |
Select risk levels to filter desired applications. |
|
Filter |
Click Select all or Select to move applications from the Available Applications list to the Selected Applications list. |
5. Click OK.
6. Verify the configuration on the Application Groups page.
