Contents

Configuring APR·· 1

About APR· 1

PBAR· 1

NBAR· 1

Application group· 2

APR signature library management 2

Restrictions: Licensing requirements for APR· 2

APR tasks at a glance· 3

Configuring PBAR· 3

Configuring a user-defined NBAR rule· 3

Configuring a risk type for a user-defined application· 5

Configuring application groups· 6

Enabling application statistics on an interface· 7

Configuring detection thresholds for categorizing an application as type other 7

Managing the APR signature library· 8

Hardware compatibility with APR signature library management 8

Restrictions and guidelines for APR signature library management 8

Scheduling an automatic update for the APR signature library· 9

Triggering an automatic update for the APR signature library· 9

Performing a manual update for the APR signature library· 10

Rolling back the APR signature library· 10

Display and maintenance commands for APR· 10

 

Configuring APR

About APR

The application recognition (APR) feature recognizes applications of packets for features such as QoS, ASPF, and bandwidth management.

APR uses the following methods to recognize an application:

·     Port-based application recognition (PBAR).

·     Network-based application recognition (NBAR).

PBAR

PBAR maps a port to an application and recognizes packets of the application according to the port-protocol mapping.

PBAR supports the following port-protocol mappings:

·     Predefined—An application uses the port defined by the system.

·     User-defined—An application uses the port defined by the user.

PBAR offers the following mappings to maintain and apply user-defined port configuration:

·     General port mapping—Maps a user-defined port to an application. All packets destined for that port are regarded as packets of the application. For example, if port 53222 is mapped to BitTorrent all packets destined for that port are regarded as BitTorrent packets.

·     Host-port mapping—Maps a user-defined port to an application for packets to or from some specific hosts. For example, you can establish a host-port mapping so that all packets destined for the network segment 10.110.0.0/16 on port 2121 are regarded as FTP packets. To define the range of the hosts, you can specify the ACL, the host IP address range, or the subnet.

Host-port mapping can be further divided into the following categories:

¡     ACL-based host-port mapping—Maps a port to an application for the packets matching the specified ACL.

¡     Subnet-based host-port mapping—Maps a port to an application for the packets sent to the specified subnet.

¡     IP address-based host-port mapping—Maps a port to an application for the packets destined for the specified IP addresses.

APR selects a port mapping to recognize the application of a packet in the following order:

·     IP address-based port mapping.

·     Subnet-based port mapping.

·     ACL-based host-port mapping.

·     General port mapping.

For the same type of mappings, the port mapping with a transport layer protocol has higher priority than the mapping without a transport layer protocol.

NBAR

NBAR uses predefined or user-defined NBAR rules to match packet contents to recognize the applications of packets that match the applied object policy.

NBAR can recognize the following application types:

·     Predefined—Defined by NBAR rules in the APR signature library.

·     User-defined—Defined by user-configured NBAR rules.

Application group

You can add applications that have similar signatures or restrictions to an application group. APR recognizes packets of the applications by matching the packet contents with the signatures or restrictions. If a packet is recognized as the packet of an application in the application group, the packet is considered to be the packet of the application group. Features such as ASPF and bandwidth management can handle packets belonging to the same group in batch.

You can add applications to an application group by using the following methods:

·     Add applications one by one to the application group.

·     Copy applications from another application group to the application group.

APR signature library management

APR signature library

APR signature library is a resource library of character string signatures for application recognition. It includes PBAR and NBAR signatures. To meet the changing requirements for application recognition, you must update the APR signature library in a timely manner and roll back the APR signature library as needed.

APR signature library update

You can update the APR signature library by using one of the following methods:

·     Automatic update.

The device automatically downloads the most up-to-date APR signature file to update its local signature library periodically.

·     Triggered update.

The device downloads the most up-to-date APR signature file to update its local signature library immediately after you trigger the update operation.

·     Manual update.

Use this method when the device cannot obtain the APR signature file automatically.

You must first download the most up-to-date APR signature file manually. The device then obtains the downloaded file to update its local signature library.

APR signature library rollback

You can perform the rollback operation if high error rate or abnormality occurs when the device uses the current APR signature library for application recognition.

You can roll back the current APR signature library to the last version or to the factory version.

Restrictions: Licensing requirements for APR

To update the APR signature library, you must purchase and install the appropriate license. After the license expires, APR can still use the existing signature library but cannot update the signature library. For information about licenses, see license management in Fundamentals Configuration Guide.

APR tasks at a glance

To configure APR, perform the following tasks:

1.     Configuring PBAR

2.     Configuring a user-defined NBAR rule

3.     Configuring a risk type for a user-defined application

4.     Configuring application groups

5.     Enabling application statistics on an interface

6.     Configuring detection thresholds for categorizing an application as type other

7.     Managing the APR signature library

Configuring PBAR

1.     Enter system view.

system-view

2.     Configure a port mapping.

Choose the options to configure as needed:

¡     Configure a general port mapping:

port-mapping application application-name port port-number [ protocol protocol-name ]

¡     Configure an ACL-based host-port mapping:

port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number

¡     Configure a subnet-based host-port mapping:

port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]

¡     Configure an IP address-based host-port mapping:

port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, all applications are mapped to well-known ports.

If the specified application does not exist, the system first creates the protocol.

Configuring a user-defined NBAR rule

About this task

You can configure user-defined NBAR rules if predefined NBAR rules cannot meet user needs. The predefined NBAR rules cannot be deleted or modified.

A user-defined NBAR rule can contain the following match criteria:

·     Signatures.

·     Destination IP subnet.

·     Source IP subnet.

·     Direction at which the application is recognized.

·     Port number.

You can configure more than one match criterion for the NBAR rule. To match the NBAR rule, packets must match all the configured match criteria in the rule. If multiple signatures are configured, packets must match a minimum of one signature.

Hardware and feature compatibility

Hardware platform	Module type	Feature compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

Procedure

1.     Enter system view.

system-view

2.     Create a user-defined NBAR rule and enter its view.

nbar application application-name protocol { http | tcp | udp }

3.     (Optional.) Configure the description of the NBAR rule.

description text

By default, the user-defined NBAR rule is described as User defined application.

4.     Configure a signature and enter NBAR rule signature view.

signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string }

By default, no signatures are configured for an NBAR rule.

5.     (Optional.) Configure a detection item for the signature.

detection detection-id field field-name match-type { exclude | include } { hex hex-vector | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]

By default, no detection items are configured for a signature.

6.     Return to user-defined NBAR rule view.

quit

7.     (Optional.) Specify a destination IP subnet.

destination ip ipv4-address [ mask-length ]

By default, an NBAR rule matches packets with any destination IP address.

8.     (Optional.) Specify a source IP subnet.

source ip ipv4-address [ mask-length ]

By default, an NBAR rule matches packets with any source IP address.

9.     (Optional.) Specify a direction.

direction { to-client | to-server }

By default, an NBAR rule matches packets in both directions.

10.     (Optional.) Specify a port number or port range.

service-port { port-num | range start-port end-port }

By default, an NBAR rule matches packets of all port numbers.

11.     (Optional.) Set the maximum detected length.

apr set detectlen bytes

By default, the maximum detected length is not set for an NBAR rule.

12.     (Optional.) Disable the user-defined NBAR rule.

disable

By default, a user-defined NBAR rule is enabled.

13.     Return to system view.

quit

14.     Activate the user-defined NBAR rule.

inspect activate

For information about this command, see DPI engine commands in DPI Command Reference.

Configuring a risk type for a user-defined application

About this task

A user-defined application can have multiple or no risk types.

The more risk types a user-defined application has, the higher risk level the application has. You can configure security policies according to the risk level.

The risk types for predefined applications are automatically generated by the APR signature library.

Hardware and feature compatibility

Hardware platform	Module type	Feature compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

 

Restrictions and guidelines

Before configuring risk types, you must update the APR signature library to the latest version.

The user-defined application must already exist.

Procedure

1.     Enter system view.

system-view

2.     Enter user-defined application view.

user-defined-application application-name

3.     Configure a risk type for the user-defined application.

risk type risk-type

By default, a user-defined application does not have any risk type.

Configuring application groups

1.     Enter system view.

system-view

2.     Create an application group and enter its view.

app-group group-name

3.     (Optional.) Configure the description of the application group.

description text

By default, the description is "User-defined application group".

4.     Add applications to the group.

Choose the options to configure as needed:

¡     Copy all applications from another group to the group.

copy app-group group-name

Execute this command multiple times to copy applications from multiple groups to the current group.

¡     Add an application to the group.

include application application-name

By default, an application group does not contain any applications.

Enabling application statistics on an interface

About this task

When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application. It also calculates the transmission rates of the interface for these protocols.

To display application statistics, use the display application statistics command.

Restrictions and guidelines

The application statistics feature consumes a large amount of system memory. When the system generates an alarm for lack of memory, disable the application statistics feature on all interfaces.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 3 interface view.

interface interface-type interface-number

3.     Enable application statistics on the interface.

application statistics enable [ inbound | outbound ]

By default, this feature is disabled.

If you do not specify the inbound or outbound keyword, this command enables the application statistics feature in both the inbound and outbound directions of the interface.

Configuring detection thresholds for categorizing an application as type other

About this task

If the device cannot identify the application to which the packets of a protocol belongs after detection thresholds are reached, it categorizes the packets as belonging to type other.

Restrictions and guidelines

You can configure both the packet count threshold and the payload length threshold for the same protocol.

Procedure

1.     Enter system view.

system-view

2.     Configure detection thresholds for categorizing an application as type other.

apr protocol protocol-name detection-threshold { packet-count count | payload-length length } application-other

By default, the device uses predefined detection thresholds in the signature library for categorizing an application as type other.

Managing the APR signature library

Hardware compatibility with APR signature library management

Hardware platform	Module type	Feature compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

Restrictions and guidelines for APR signature library management

For a successful APR signature library update or rollback, do not delete the /dpi/ folder in the root directory on the device storage media.

Do not update or roll back the APR signature library when the remaining system memory reaches any alarm threshold. Insufficient memory causes update or rollback failure and affects the operation of NBAR. For information about memory alarm thresholds, see device management in Fundamentals Configuration Guide.

You can update only one APR signature library at a time. If an APR signature library is being updated, please wait for the update to complete before updating another APR signature library.

Scheduling an automatic update for the APR signature library

About this task

If the device can access the signature library services on the official website, you can schedule an automatic update. The automatic update enables the device to automatically update the local APR signature library at the scheduled update time.

Restrictions and guidelines

For a successful automatic update, make sure the following requirements are met:

·     The device can obtain the IP address of the official website through static or dynamic domain name resolution.

·     The device can access the signature library services on the official website.

For information about DNS, see Layer 3—IP Services Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable the automatic update feature and enter auto-update configuration view.

apr signature auto-update

By default, the automatic update feature is disabled.

3.     Configure the update schedule.

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

By default, the device automatically updates the APR signature library between 02:01:00 to 04:01:00 every day.

4.     (Optional.) Overwrite the current signature file.

override-current

By default, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file.

Triggering an automatic update for the APR signature library

About this task

Anytime you find a release of new signature version on the official website, you can trigger the device to immediately update the local APR signature library.

Restrictions and guidelines

For a successful triggered update, make sure the following requirements are met:

·     The device can obtain the IP address of the official website through static or dynamic domain name resolution.

·     The device can access the signature library services on the official website.

For information about DNS, see Layer 3—IP Services Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Trigger an automatic update for the APR signature library.

apr signature auto-update-now

Performing a manual update for the APR signature library

About this task

If the device cannot access the signature library services on the official website, use one of the following methods to manually update the APR signature library on the device:

·     Local update—By using the locally stored APR signature file.

(In standalone mode.) To ensure a successful update, the APR signature file must be stored on the active MPU.

(In IRF mode.) To ensure a successful update, the APR signature file must be stored on the global active MPU.

·     FTP/TFTP update—By using the APR signature file stored on the FTP or TFTP server.

Procedure

1.     Enter system view.

system-view

2.     Manually update the APR signature library.

apr signature update [ override-current ] file-path

Rolling back the APR signature library

About this task

Each time a rollback operation is performed, the device backs up the APR signature library of the current version. If you repeat the rollback to the last version operation multiple times, the APR signature library will repeatedly switch between the current version and the last version.

Restrictions and guidelines

To ensure that the APR signature library can be successfully rolled back to the last version, back up the current APR signature library each time you update the library.

Procedure

1.     Enter system view.

system-view

2.     Roll back the APR signature library.

apr signature rollback { factory | last }

Display and maintenance commands for APR

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display information about application groups.	display app-group [ name group-name ]
Display information about applications.	display application [ name application-name | pre-defined | user-defined ]
Display statistics for applications.	In standalone mode: display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] | name application-name ] * In IRF mode: display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] | name application-name ] *
Display statistics for applications on an interface in descending order based on the specified criteria.	In standalone mode: display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Display detection threshold settings for applications categorized as type other.	display apr protocol [ protocol-name ] detection-threshold-other
Display APR signature library information.	display apr signature library
Display information about predefined port mappings.	display port-mapping pre-defined
Display information about user-defined port mappings.	display port-mapping user-defined [ application application-name | port port-number ]
Clear application statistics for interfaces.	reset application statistics [ interface interface-type interface-number ]