Junos Space Developer
Highlighted
Junos Space Developer

Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 02:07 AM

Hi, I've this strange problem on SecDir.

On my JSA I'm able to receive all types of log, included "AppTrack" events, but seems that SecDir in some way recognize only nested generic application.

Here some details:

Juniper JSA and log receives from vSRX AppTrack included:

Screenshot_20190131_105742.png

 

CODE on SRX:

root@vSRX-HQ# show security log  
mode stream; 
format sd-syslog; 
source-address 10.xxx.xxx.xxx; 
stream securitylog { 
   severity info; 
   format sd-syslog; 
   category all; 
   host { 
       10.xx.xx.xx; 
       port 514; 
   } 
}


syslog { 
   user * { 
       any emergency; 
   } 
   host 10.xx.xx.xxx { 
       any any; 
   } 
   file messages { 
       any any; 
       authorization info; 
   } 
   file interactive-commands { 
       interactive-commands any; 
   } 
   file policy_session { 
       user info; 
       match RT_FLOW;  # I tried also match any any any
       archive size 1000k world-readable; 
       structured-data;                 
   } 
}



On Statistics and show on SRX all seems working:

Application tracking counters:

AppTrack counter type                             Value 
Session create messages                                0 
Session close messages                                 159613 
Session volume updates                                 13935 
Session route updates                                  0 
Session zone updates                                   0 
Failed messages                                        0
#Also if it' strange "create messages 0"

 

On SecDir I've only:

Screenshot_20190131_110634.png

 

Didn't find something of similar on forum posts.

Any help from the community?

regards

7 REPLIES 7
Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 06:16 AM

UPDATE:
delete and set these commands:

set security application-tracking session-update-interval 1 
set security application-tracking first-update 

And at least righe now counter on create messages are running:

    AppTrack counter type                             Value
 Session create messages                                276
 Session close messages                                 179936
 Session volume updates                                 17956
 Session route updates                                  0
 Session zone updates                                   0
 Failed messages                                        0

 

BTW no good news from SecDir.
Application Name still only jnprNestApplication :-|

Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 07:30 AM

UPDATE2:
Really creazy... SRX is working good and correctly:

Here all application tracked by SRX:
root@vSRX-HQ> show services application-identification statistics applications    
Last Reset: 2019-01-31 16:21:08 UTC
                      Application           Sessions              Bytes    Encrypted
                           AMAZON                  2              10201           No
     ANDROID-MARKETPLACE-DOWNLOAD                  1               4550           No
                              DNS                220              43445           No
                  FACEBOOK-ACCESS                  8              50730           No
                   FACEBOOK-VIDEO                  2            2215508           No
                             HTTP                  2               7358           No
                        ICMP-ECHO                 10               1544           No
                        MICROSOFT                  2              13822           No
                              NTP                  5                760           No
                     OPERA-UPDATE                  2              15755           No
                          OUTLOOK                  2              85656           No
                            RLCDN                  4              25899           No
                              SMB                  1               6120           No
                             SNMP                  8             113668           No
                              SSH                  4               7732           No
                              SSL                 88            7129194          Yes
                           SYSLOG                  1                649           No

But on Secure Directory.... NO Just Unknown, under jnprNestedApplication.

 

Maybe something wrong in the way syslog is send?! mmm ok but no other way is working following also the documentation.

Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 08:36 AM
Hi,

There was a similar bug in SD so better to contact JTAC.
You can try restarting log collector once.

Regards,
Pravin
-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 08:42 AM

BY
Thanks for the prompt answer.
In this moment I try to restart JSA, after had restarted SecDir and also vSRX.
I've tried to remove and add once again log collector from the secdir configuration.
Let's see in at least half an hours (time to bootup of JSA :-) ) ...how the result will be.
For me the same... Seems that there is a kind of cache inside secdirectory.
In fact, right now with no configuration JSA and JSA in phase of booting, I still see the jnprNestedApplication unknow still present on the secdir graph :-| bha...

Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎01-31-2019 08:53 AM
Unknown will be there as it is in SD database.
Btw what SD and JSA version you are using?

Regards,
Pravin
-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Junos Space Developer

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎02-01-2019 01:59 AM

No Way also with reaload:
- Secuirty Director version is: 18.3.R1

- vSRX is: JUNOS 15.1X49-D140.3

- JSA is:  7.3.1

 

The creazy things is that AppTrack yesterday for some minutes was able to recnognize some application (nested application correctly), also if "application menu", was always "unknow".

Today no application in the log is recognized. always "unknow" keyword.
But still vSRX seems working good, have a look:

                       ADDTHIS                  2              11284           No
                            ADOBE                 48             414507           No
                       AKAMAI-SSL                  1                802           No
                           AMAZON                 95           11841275           No
                       AMAZON-AWS                 13             117706           No
     ANDROID-MARKETPLACE-DOWNLOAD                 19             310965           No
                             BING                  6             285182           No
                          BOOKING                  5             148565           No
                     BOOTSTRAPCDN                 13             139181           No
                          CEDEXIS                 12             574957           No
                            CLDAP                198              84683           No
                       CLOUDFLARE                 22            3972325           No
                           CRITEO                  8              50826           No
                              DNS              26623            4612291           No
                          DROPBOX                 78             583152           No
                             EBAY                 38            3785993           No
                        ENSIGHTEN                  7             114978           No
                              EPM                 50              58096           No
                     EVEREST-TECH                  1              12393           No
                          EXELATE                  2              22590           No
                  FACEBOOK-ACCESS                 42           21668807           No
               FACEBOOK-MESSENGER                  6             185059           No
                   FACEBOOK-VIDEO                  3            3199339           No
                           FASTLY                  4              51959           No
                            GMAIL                 10            1405733           No
                  GOOGLE-ACCOUNTS                  3              38726           No
            GOOGLE-ADSERVICES-SSL                  7             177065           No
        GOOGLE-ANALYTICS-TRACKING                 10             289485           No
                     GOOGLE-CACHE                  8             230845           No
                  GOOGLE-CALENDAR                  2              31510           No
                       GOOGLE-GEN                285            7220630           No
                    GOOGLE-STATIC                 23            1494814           No
                      GOOGLE-TAGS                 12             537758           No
                       GOOGLETALK                  1              23783           No
                           HOTJAR                  6             147755           No
                             HTTP                944           83328693           No
                            HTTP2                153           12398027           No
                        ICMP-ECHO               2206             510212           No
                           JQUERY                  1               8925           No
                             KRB5                116             393276           No
                             KRUX                  2              16546           No
                             LDAP                 94             569578           No

A lot of application recognized, but in some way this information are not correctly forward by sd-log-format to the JSA. :-\

 

I've another firewall, for SD-wan simulation. I'll try to configure it with demo licenses (I'm in lab environment) and see if r17 has got the same problem of r15, without touch JSA or SD.

 

Any other ideas?!
regards

 

 

Highlighted
Junos Space Developer
Solution
Accepted by topic author alfaromeo
‎02-06-2019 03:17 AM

Re: Space Security Director, show only jnprNestedApplication in application visibility

‎02-06-2019 03:17 AM

Confirmed by JTAC.
At the moment, this is a BUG on 18.3R1.
No ETA of resolutions shared at the moment.

 

:-\