Junos IN FOCUS User Manual

IN FOCUS

Published

2020-10-16

®

Junos

OS Release 20.2

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in

the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks

are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this publication without notice.

IN FOCUS Junos®OS Release 20.2

Copyright © 2020 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

ii

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related

limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)

Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement

(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you

agree to the terms and conditions of that EULA.

Table of Contents

1

2

3

4

5

Start Here with Junos OS Release 20.2

What You Need to Know About the In Focus Guide | 6

Important Features in Junos OS Release 20.2 | 6

Analyze Unknown Application Traffic Using Packet Capture

How to Configure Packet Capture of Unknown Application Traffic | 13

Packet Capture of Unknown Application Traffic Overview | 13

Benefits of Packet Capture of Unknown Application Traffic | 13

Configure Packet Capture For Unknown Application Traffic | 14

iii

Control the Re-merge Behavior on Point-to-Multipoint LSP Network

How to Control the Re-merge Behavior on the Point-to-Multipoint LSP Network | 22

Re-merge Behavior on Point-to-Multipoint LSP Overview | 22

Benefits of Controlling the P2MP LSP Re-merge | 22

What is P2MP LSP Re-merge? | 23

Modify the Default P2MP LSP Re-merge Behavior | 24

Implement Retaining the Authentication Session Using IP-MAC Bindings

How to Retain the Authentication Session Using IP-MAC Bindings | 27

Retaining the Authentication Session Based on IP-MAC Address Bindings | 27

Benefits | 28

CLI Configuration | 28

RADIUS Server Attributes | 29

Verification | 29

NETCONF Sessions over Transport Layer Security (TLS)

How to Configure NETCONF Sessions over Transport Layer Security (TLS) | 32

Understanding NETCONF-over-TLS Connections | 32

Benefits of NETCONF over TLS | 32

NETCONF over TLS Overview | 33

Understanding the TLS Client-to-NETCONF Username Mapping | 34

NETCONF-over-TLS Connection Workflow | 36

6

7

How to Establish a NETCONF Session over TLS | 37

Install TLS Client Software on the Configuration Management Server | 37

Obtain X.509 Certificates for the Server and Client | 37

Install the Server’s Local Certificate in the Junos OS PKI | 39

Install the CA Certificates in the Junos OS PKI | 40

Enable the NETCONF Service over TLS | 41

Configure the TLS Client-to-NETCONF Username Mapping | 42

Configure the Default NETCONF Username Mapping | 43

Configure the User Account for the NETCONF User | 44

Start the NETCONF-over-TLS Session | 45

Safe Search Enhancement for Web Filtering

How to Configure Web Filtering with Safe Search | 49

iv

Safe Search Enhancement for Web Filtering Overview | 49

Benefits of Safe Search Enhancement for Web Filtering | 49

Features of Safe Search Enhancement for Web Filtering | 49

Limitations of Safe Search Enhancement for Web Filtering | 51

Configure Web Filtering with Safe Search | 51

LDAP Authentication and Authorization over TLS

LDAP Authentication and Authorization over TLS | 59

LDAP Authentication over TLS | 59

Junos OS User Authentication Overview | 59

Benefits of LDAP Authentication over TLS | 60

Supported and Unsupported Features | 60

LDAP Overview | 61

Transport Layer Security (TLS) Overview | 61

How LDAPS Authentication Works | 61

1

CHAPTER

Start Here with Junos OS Release 20.2

What You Need to Know About the In Focus Guide | 6

Important Features in Junos OS Release 20.2 | 6

What You Need to Know About the In Focus Guide

Use this guide to quickly learn about the most important features in Junos OS Release 20.2 and how you
can deploy them in your network.

You might also be interested in seeing the complete list of features in the Release Notes for Junos OS

Release 20.2. In addition to this guide, you can find detailed information on concepts, configuration, and

examples in the Junos OS documentation.

Want to tell us what you think about this guide? E-mail us at techpubs-comments@juniper.net.

Important Features in Junos OS Release 20.2

For details on these features, go to the other chapters in this guide or click the link in the feature description
below.

6

Packet capture of unknown application traffic (NFX Series, SRX Series, and vSRX)—Starting in Junos

•

OS Release 20.2R1, we’ve added new capability to your security device that allows you to capture
unknown application traffic.

Once you have configured the packet capture options on your security device, the unknown application
traffic information is gathered and stored on the device in a packet capture file (.pcap). You can use the
packet capture of an unknown application to define a new custom application signature. You can use
this custom application signature in a security policy to manage the application traffic more efficiently.

You can also send the .pcap file to Juniper Networks in case where the traffic is incorrectly classified,
or to request for the creation of an application signature.

[See “How to Configure Packet Capture of Unknown Application Traffic” on page 13 and Application

Identification.]

Control the default re-merge behavior on the P2MP LSP (MX Series)—Starting with Junos OS Release

•

20.2R1, you can control and change the default re-merge behavior on RSVP P2MP LSP. The term
re-merge refers to the case of an ingress (headend) or transit node (re-merge node) that creates a
re-merge branch intersecting the P2MP LSP at another node in the network. This may occur due to
events such as an error in path calculation, an error in manual configuration, or network topology changes
during the establishment of the P2MP LSP.

You can control the default re-merge behavior on P2MP LSPs by enabling the newly introduced
no-re-merge and no-p2mp-re-merge CLI commands at the ingress (headend) and transit devices (re-merge
nodes), respectively.

[See “How to Control the Re-merge Behavior on the Point-to-Multipoint LSP Network” on page 22.]

Retain the authentication session based on DHCP or SLAAC snooping entries (EX2300, EX3400, and

•

EX4300)—Starting in Junos OS Release 20.2R1, you can configure the switching device to check for a
DHCP, DHCPv6, or SLAAC snooping entry before terminating the authentication session when the MAC
address ages out. If a snooping entry is present, the authentication session for the end device with that
MAC address remains active. This ensures that the end device will be reachable even if the MAC address
ages out.

[See “How to Retain the Authentication Session Using IP-MAC Bindings” on page 27.]

NETCONF sessions over TLS (ACX710)—Starting in Junos OS Release 20.2R1, ACX710 routers support

•

establishing Network Configuration Protocol (NETCONF) sessions over Transport Layer Security (TLS)
to manage devices running Junos OS. TLS uses mutual X.509 certificate-based authentication, and
provides encryption and data integrity to establish a secure and reliable connection. NETCONF sessions
over TLS enable you to remotely manage devices using certificate-based authentication and to more
easily manage networks on a larger scale than when using NETCONF over SSH.

[See “How to Configure NETCONF Sessions over Transport Layer Security (TLS)” on page 32.]

Safe search enhancement for Web filtering (SRX Series and vSRX)—Starting in Junos OS Release 20.2R1,

•

we’ve introduced safe search UTM Web filtering on well-known search engines. This safe search
enhancement enforces the safest Web browsing mode available, by default. You can disable the safe
search option at the Web filtering-level and profile-level configurations. You can also block search engine
cache on the well-known search engines. By blocking the search engine cache, you can hide your
Web-browsing activities from other users if you are a part of an organization that has multiple Web
users in educational, financial, health-care, banking, and corporate segments.

7

[See “How to Configure Web Filtering with Safe Search” on page 49.]

Support for LDAP authentication and authorization over TLS (ACX710)— Starting in Junos OS Release

•

20.2R1, we support LDAP authentication and authorization for Junos OS user login. Through the use
of LDAP over TLS (LDAPS), we provide LDAP authentication and authorization support for Junos OS
user login with TLS security between the device running Junos OS (which is the LDAPS client) and the
LDAPS server.

To enable LDAPS support, you can configure the ldaps-server option at the [edit system
authentication-order] hierarchy level. LDAPS ensures the secure transmission of data between a client
and a server with better privacy, confidentiality, data integrity and higher scalability.

[See “LDAP Authentication and Authorization over TLS” on page 59.]

Rest API support (EX2300, EX2300-MP, EX3400, EX4300, EX4300-MP, EX4600, EX4650, and

•

EX9200)—Starting in Release 20.2R1, Junos OS supports the REST API on EX Series switches. The REST
API enables you to securely connect to the Junos OS devices, execute remote procedure calls (RPC)
commands, use REST API explorer GUI to conveniently experiment with any of the REST APIs, and use
a variety of formatting and display options including JavaScript Object Notation (JSON).

[See REST API Guide.]

CPU usage monitoring (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 20.2R1, you

•

can use the following operational commands to monitor the average CPU usage information for the last
minute, hour, or day of an SPC3 card:

show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number

•

show security monitoring performance spu summary fpc fpc-slot-number pic pic-slot-number thread

•

thread-number

You can monitor the CPU usage information only when the PIC is online.

We’ve introduced the new SNMP MIBs jnxJsSPUMonitoringSPUThreadsNumber,

jnxJsSPUMonitoringSPUThreadIndex, jnxJsSPUMonitoringSPUThreadLastMinUsage,
jnxJsSPUMonitoringSPUThreadLastHourUsage, and jnxJsSPUMonitoringSPUThreadLastDayUsage to

monitor the CPU usage information of an SPC3 card.

[See show snmp mib and show security monitoring performance spu.]

Contrail networking support (cSRX)—Starting in Junos OS Release 20.2R1, we have integrated cSRX

•

Container Firewall into a Contrail network as a distributed host-based firewall service on a Docker
container. Using this deployment, you can obtain agile, elastic, and cost-saving security services.

8

The new virtual solution provides the following capabilities:

Layer 7 security protection (antivirus, application firewall, IPS, application identification, URL filtering,

•

user firewall, UTM content and Web filtering only)

Automated service provisioning and orchestration

•

Distributed and multitenant traffic securing

•

Centralized management with Junos Space Security Director, including dynamic policy and address

•

update, remote log collections, and security events monitoring

Scalable security services with small footprints

•

[See cSRX as Contrail Host-based Firewall User Guide.]

Support for Must-IE check and IE removal for GTPv1 and GTPv2 (SRX1500, SRX4100, SRX4200,

•

SRX4600, SRX5400, SRX5600, SRX5800, and vSRX)—Starting in Release 20.2R1, Junos OS supports
the following information element (IE) enforcement functions for GTPv1 and GTPv2:

Must-IE check: Use this function to check for the presence of IEs in GTPv1-C and GTPv2-C messages

•

that helps to verify message integrity. The device check for the presence of Must-IEs of specific GTP
messages and forwards the messages only if Must-IEs are present.

IE removal: Use this function to remove IEs from GTPv1-C and GTPv2-C. This function helps to retain

•

interoperability between Second-Generation Partnership Project (2GPP) and Third-Generation
Partnership Project (3GPP) networks.

[See Example: Configure Must-IE check for GTPv1 and GTPv2, and Example: Configure IE removal for

GTPV1 and GTPv2.]

User authentication support for tenant systems (SRX Series)—Starting in Release 20.2R1, Junos OS

•

introduces the following authentication support for tenant systems:

address-assignment pools: Creates centralized IPv4 and IPv6 address pools independent of the client

•

applications that use the pools.

access profiles: Runs authentication and accounting requests.

•

clear network-access aaa subscribers: Clears AAA subscriber statistics and logs out subscribers. You

•

can log out subscribers based on the username or on the subscriber session identifier.

[See Firewall Authentication for Tenant Systems.]

TI-LFA SRLG protection for IS-IS (MX Series and PTX Series)—Starting in Junos OS Release 20.2R1,

•

you can configure Shared Risk Link Group (SRLG) protection for segment routing if you want IS-IS to
choose a fast reroute path that does not include SRLG links in the topology-independent loop-free
alternate (TI-LFA) backup paths. This is in addition to existing fast reroute options such as link-protection,
node protection, and fate-sharing protection for segment routing. IS-IS computes the fast reroute path
that is aligned with the post-convergence path and excludes the SRLG of the protected link. All local
and remote links that are from the same SRLG as the protected link are excluded from the TI-LFA back
up path. The point of local repair (PLR) sets up the label stack for the fast reroute path with a different
outgoing interface.

9

To enable TI-LFA SRLG protection with segment routing for IS-IS, include the srlg-protection statement
at the [edit protocols isis interface name level number post-convergence-lfa] hierarchy level.

[See Understanding Topology-Independent Loop-Free Alternate with Segment Routing for IS-IS.]

Support for Layer 2 circuit, Layer 2 VPN, and VPLS services with BGP labeled unicast (MX Series,

•

EX9204, EX9208, EX9214, EX9251, and EX9253 devices)—Starting with Junos OS Release 20.2R1, MX
Series, EX9204, EX9208, EX9214, EX9251, and EX9253 devices support BGP PIC Edge protection for
Layer 2 circuit, Layer 2 VPN, and VPLS (BGP VPLS, LDP VPLS and FEC 129 VPLS) services with BGP
labeled unicast as the transport protocol. BGP PIC Edge using the BGP labeled unicast transport protocol
helps to protect traffic failures over border nodes (ABR and ASBR) in multi-domain networks. Multi-domain
networks are typically used in metro-aggregation and mobile backhaul networks designs.

A prerequisite for BGP PIC Edge protection is to program the Packet Forwarding Engine (PFE) with
expanded next-hop hierarchy.

To enable BGP PIC Edge protection, use the following CLI configuration statements:

Expand next-hop hierarchy for BGP labeled unicast family:

•

[edit protocols]
user@host#set bgp group group-name family inet labeled-unicast nexthop-resolution

preserve-nexthop-hierarchy;

BGP PIC for MPLS load balance nexthops:

•

[edit routing-options]
user@host#set rib routing-table-name protect core;

Fast convergence for Layer 2 circuit and LDP VPLS:

•

[edit protocols]
user@host#set l2circuit resolution preserve-nexthop-heirarchy;

Fast convergence for Layer 2 VPN, BGP VPLS, and FEC129:

•

[edit protocols]
user@host#set l2vpn resolution preserve-nexthop-heirarchy;

[See Load Balancing for a BGP Session.]

Support for security feeds in security policies (SRX Series and vSRX)—Starting in Junos OS Release

•

20.2R1, you can add source and destination addresses to the security intelligence (SecIntel) profiles to
generate security feeds in a security policy. You can accomplish this by configuring the
security-intelligence configuration statements. After the feeds are generated, you can configure other
security policies to use the feeds as a dynamic-address to match designated traffic and perform policy
actions.

10

You can configure the security-intelligence configuration statements as permit, deny, or reject match
conditions in a security policy at the following hierarchy levels:

[edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit

application-services]

[edit security policies from-zone zone-name to-zone zone-name policy policy-name then deny application-services]

[edit security policies from-zone zone-name to-zone zone-name policy policy-name then reject application-services]

[See security-intelligence and Encrypted Traffic Analysis Overview.]

Support for BGP-LU over SR-TE for color-based mapping of VPN Services (MX Series and PTX

•

Series)—Starting in Junos OS Release 20.2R1, we are extending support to BGP labeled unicast service
for color-based mapping of VPN services over Segment Routing-Traffic Engineering (SR-TE). This enables
you to advertise BGP-LU IPv6 and IPv4 prefixes with an IPv6 next-hop address in IPv6-only networks
where routers do not have any IPv4 addresses configured. With this feature, BGP-LU can now resolve
IPv4 and IPv6 routes over SR-TE core. BGP-LU constructs a colored protocol next hop, which is resolved
on a colored SR-TE tunnel in the inetcolor.0 or inet6color.0 table. Currently we support BGP IPv6 LU
over SR-TE with IS-IS underlay.

See [Understanding Static Segment Routing LSP in MPLS Networks.]

Increased port block allocation size (SRX5000 line of devices with SPC2 and SPC3 cards)—we've

•

increased the port block allocation size so you can store more log files in the log server.

When you disable interim log, you can increase the size of port block allocation from 64 to 8 .

•

When you enable interim log, you can increase the size of port block allocation from 128 to 8.

•

If you configure the port block allocation size less than 8, the system displays the warning message
warning: To save system memory, the block size is recommended to be no less than 8.

[See Guidelines for Configuring Secured Port Block Allocation and Configure Port Block Allocation Size.]

VMware Tools support for VMware Hypervisors (vSRX 3.0)—Starting in Junos OS Release 20.2R1, vSRX

•

3.0 on VMware Hypervisors support VMware Tools version 10.3.0 for autoconfiguration. The VMware
Tools are initialized when the guest operating system starts. The service passes information between
the host and guest operating systems for better management and operation.

[See Automate the Initialization of vSRX 3.0 Instances on VMware Hypervisor using VMware Tools.]

Policy-based threat profile for IDP (SRX Series)—Starting from Junos OS Release 20.2R1, you can

•

configure IDP rules with threat profiles to define attacker IP and target IP feeds.

11

When traffic matches the feed data, IDP provides feed update to add the IP information in the Security
Intelligence (SecIntel) module.

This feature allows the SRX Series device to identify threats, and propagate intelligence for real-time
enforcement and provides the ability to perform endpoint classification.

[See IDP Policy Rules and IDP Rule Bases, security-intelligence, and Encrypted Traffic Analysis Overview.]

2

CHAPTER

Analyze Unknown Application Traffic Using Packet Capture

How to Configure Packet Capture of Unknown Application Traffic | 13

How to Configure Packet Capture of Unknown Application Traffic

13

SUMMARY

Learn how to configure your device to capture packet
details for unknown application traffic and store that
information in a packet capture file (.pcap). You can
later analyze the application traffic and get insight
about the unknown applications. You can also use this
information to define a new custom application
signature to manage the application traffic.

IN THIS SECTION

Packet Capture of Unknown Application Traffic
Overview | 13

Configure Packet Capture For Unknown
Application Traffic | 14

Packet Capture of Unknown Application Traffic Overview

You can use the packet capture of unknown applications feature to gather more details about an unknown
application on your security device. Unknown application traffic is the traffic that does not match an
application signature.

Once you’ve configured packet capture options on your security device, the unknown application traffic
is gathered and stored on the device in a packet capture file (.pcap). You can use the packet capture of an
unknown application to define a new custom application signature. You can use this custom application
signature in a security policy to manage the application traffic more efficiently.

You can send the .pcap file to Juniper Networks for analysis in cases where the traffic is incorrectly
classified, or to request creation of an application signature.

Benefits of Packet Capture of Unknown Application Traffic

You can use the packet capture of unknown application traffic to:

Gather more insight about an unknown application

•

Analyze unknown application traffic for potential threats

•

Assist in creation of security policy rules

•

Enable custom application signature creation

•

NOTE: Implementing security policies that block all unknown application traffic could cause

issues with network-based applications. Before applying these types of policies, be sure to
validate that this approach does not cause issues in your environment. You must carefully analyze
the unknown application traffic, and define the security policy accordingly.

Configure Packet Capture For Unknown Application Traffic

Before You Begin

14

To enable automatic packet capture of unknown application traffic, you must:

Install a valid application identification feature license on your SRX Series device. See Managing Junos

•

OS Licenses.

Download and install the Junos OS application signature package. See Download and Install Junos OS

•

Application Signature Package.

Ensure you have Junos OS Release 20.2R1 or later version on your security device.

•

Overview

In this example, you’ll learn how to configure automated packet capture of unknown applications on your
security device by completing the following steps:

Set packet capture options at global level or at a security policy level.

•

Configure packet capture mode

•

(Optional) Configure packet capture file options

•

Access the generated packet capture file (.pcap file)

•

Configuration

To learn about packet capture configuration options, see packet-capture before you begin.

Packet Capture for Unknown Applications Globally

Step-by-Step Procedure

To enable packet capture at a global level, use the following command:

•

user@host# set services application-identification packet-capture global

When you enable packet capture at the global level, your security device generates a packet capture for
all sessions that contain unknown application traffic.

Packet Capture for Unknown Applications At a Security Policy Level

Step-by-Step Procedure

Configure packet capture at a security policy level, use the following procedure. In this example, you’ll

•

enable packet capture of unknown application traffic at the security policy P1.

[edit]
user@host# set security policies from-zone untrust to-zone trust policy P1 match source-address any
user@host# set security policies from-zone untrust to-zone trust policy P1 match destination-address any
user@host# set security policies from-zone untrust to-zone trust policy P1 match application any
user@host# set security policies from-zone untrust to-zone trust policy P1 match dynamic-application

junos:UNKNOWN

user@host# set security policies from-zone untrust to-zone trust policy P1 then permit application-services

packet-capture

15

To enable packet capture of unknown application traffic at the security policy level, you must include
junos:UNKNOWN as the dynamic-application match conditions.

When you configure the security policy (P1), the system captures the packet details for the application
traffic that matches the security policy match criteria.

Selecting Packet Capture Mode

You can capture the packets for the unknown application traffic in either of the following modes:

ASC mode—Captures packets for unknown applications when the application is classified as

•

junos:UNKNOWN and has a matching entry in the application system cache (ASC). This mode is enabled
by default.

Aggressive mode—Captures all traffic before AppID has finished classification. In this mode, the system

•

captures all application traffic regardless of an available ASC entry. Packet capture begins from the first
packet of the first session. Note that aggressive mode is significantly more resource-intensive and should
be used with caution.

To enable aggressive mode, use the following command:

[edit]
user@host# set services application-identification packet-capture aggressive-mode

We do not recommend using aggressive mode unless you need to capture the first occurrence of a flow.
As noted above, the default behavior of the device relies on the ASC.

16

Define Packet Capture Options (Optional)

Step-by-Step Procedure

Optionally, you can set the following packet capture parameters. Otherwise, the default options described
in packet-capture are used for this feature. In this example, you define packet capture options such as
maximum packet limit, maximum byte limit, and number of packet capture (.pcap) files.

1. Set the maximum number of UDP packets per session.

[edit]
user@host# set services application-identification packet-capture max-packets 10

2. Set the maximum number of TCP bytes per session.

[edit]
user@host# set services application-identification packet-capture max-bytes 2048

3. Set the maximum number of packet capture (.pcap) files to be created before the oldest one is
overwritten and rotated out.

[edit]
user@host# set services application-identification packet-capture max-files 30

Results

From configuration mode, confirm your configuration by entering the show services
application-identification packet-capture command and show security policies hierarchy level. If the

output does not display the intended configuration, follow the configuration instructions in this example
to correct it.

The following configuration shows an example of unknown application packet capture at the global level
with optional configurations:

[edit services application-identification]
user@host# show packet-capture

{

global;

max-packets 10;

max-bytes 2048;

max-files 30;

}

17

The following configuration shows an example of unknown application packet capture at a security policy
level with optional configurations:

[edit services application-identification]
user@host# show packet-capture

{

max-packets 10;

max-bytes 2048;

max-files 30;

}

[edit security policies]
user@host# show

from-zone untrust to-zone trust {

policy P1 {

match {

source-address any;

destination-address any;

application any;

dynamic-application [ junos:UNKNOWN ];

}

then {

permit {

application-services {

packet-capture;

}

}

}

}

}

If you are done configuring the device, enter commit from configuration mode.

Accessing Packet Capture Files (.pcaps)

After you complete the configuration and commit it, you can view the packet capture (.pcap) file. The
system generates a unique packet capture file for each destination IP address, destination port, and protocol.

Step-by-Step Procedure

To view the packet capture file:

1. Navigate to the directory where .pcap files are stored on the device.

user@host> start shell

%

% cd /var/log/pcap

18

2. Locate the .pcap file.

The .pcap file is saved in destination-IP-address. destination-port.protocol. pcap format. Example:

142.250.31.156_443_17.pcap.

user@host:/var/log/pcap # ls -lah
total 1544
drwxr-xr-x 2 root wheel 3.0K Jul 27 15:04 .
drwxrwxr-x 9 root wheel 3.0K Jul 24 16:23 ..

-rw-r----- 1 root wheel 5.0K Jul 24 20:16 142.250.31.156_443_17.pcap

-rw-r----- 1 root wheel 16K Jul 27 15:03 142.250.64.97_443_17.pcap

-rw-r----- 1 root wheel 9.0K Jul 27 14:26 162.223.228.170_443_17.pcap

-rw-r----- 1 root wheel 2.1K Jul 26 17:06 17.133.234.32_16385_17.pcap

-rw-r----- 1 root wheel 11K Jul 24 16:20 172.217.0.226_443_17.pcap

-rw-r----- 1 root wheel 16K Jul 27 14:21 172.217.9.234_443_17.pcap

-rw-r----- 1 root wheel 31K Jul 27 14:25 172.217.9.238_443_17.pcap

-rw-r----- 1 root wheel 17K Jul 24 19:21 52.114.132.87_3478_17.pcap

You can download the .pcap file by using SFTP or SCP and view it with Wireshark or your favorite
network analyzer.

Figure 1 on page 19 shows a sample .pcap file generated for the unknown application traffic.

Figure 1: Sample Packet Capture File

19

NOTE: In situations where packet loss is occurring, the device may not be able to capture

all relevant details of the flow. In this case, the .pcap file will only reflect what the device was
able to ingest and process.

The security device saves the packet capture details for all traffic that matches the three match criteria
(destination IP address, destination port, and protocol) in the same file regardless of global or policy-level
configuration. The system maintains the cache with the destination IP address, destination port, and the
protocol and does not accept the repeated capturing of the same traffic which exceeds the defined limit.
You can set the packet capture file options as in packet-capture.

Verification

Viewing Packet Capture Details

Purpose

View the packet capture details to confirm that your configuration is working.

Action

Use the show services application-identification packet-capture counters command.

user@host> show services application-identification packet-capture counters