Available in DANOS 2009

1. Overview

Deep Packet Inspection (DPI) uses ntop's nDPI engine to identify layer 7 applications. User-defined applications can also be specified using L3 / L4 rules.

Firewall rules can be configured to allow or block the identified applications.

DANOS > Deep Packet Inspection > DPI.png

2. Configuration

2.1. Application firewall

Applications are configured in an "application firewall" using the "set security application firewall" command, which is similar to the existing firewall command ("set security firewall name ..."), but is specific to applications:

user@danos2009# set security application firewall name SAF1 ?
Possible Completions:
   <Enter>         Execute the current command
   description     Ruleset description
   no-match-action Action when no match (default is drop)
+> rule            Rule number

Applications are specified by the DPI engine and the application name, protocol, or type. Applications are configured individually, one per rule.

user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi ?
Possible Completions:
   <Enter>  Execute the current command
   name     Specify an nDPI application name
   protocol Specify an nDPI application protocol
   type     Specify an nDPI application type

Each rule can only match one application name or protocol or type in order to prevent conflicting configuration which would never match anything.

Multiple applications can be added by configuring multiple rules. Rules are evaluated in increasing numerical order.

user@danos2009# set security application firewall name SAF1 rule 10 engine ndpi name youtube
user@danos2009# set security application firewall name SAF1 rule 10 action drop

user@danos2009# set security application firewall name SAF1 rule 20 engine ndpi protocol ssh
user@danos2009# set security application firewall name SAF1 rule 20 action accept

user@danos2009# set security application firewall name SAF1 rule 30 engine ndpi type filesharing
user@danos2009# set security application firewall name SAF1 rule 30 action drop

The application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI because the DPI engine might have to examine several packets in the session before reaching a determination. Since application matching is only supported for UDP and TCP protocols, application firewalls require that either "protocol tcp" or "protocol udp" be specified in the enclosing firewall:

user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1
user@danos2009# set security firewall name SF1 rule 10 protocol tcp 
user@danos2009# set security firewall name SF1 rule 10 action accept

2.2. Default action

Initial packets are classified as application "Unknown", protocol "Unknown", until sufficient traffic is seen for a determination to be made. It's important to allow these packets through the firewall so that enough traffic is seen in the session in order for the DPI engine to reach a determination. Therefore the application firewall allows up to ten packets before applying the "no-match-action" if no classification has been made.

2.2.1. Firewall

A default firewall action may be specified either in a high-numbered rule:

set security firewall name FW1 rule 9999 action X

or using the "default action" command:

set security firewall name FW1 default action X

Both of these will match all packets, preventing subsequent 'implicit action' or rules in subsequent groups occurring.

2.2.2. Application firewall

A default application firewall action may be specified either in a high-numbered application firewall rule:

set security application firewall name AF1 rule 9999 action X

or using the "no-match-action" command:

set security application firewall name AF1 no-match-action X

Note that up to ten packets will be accepted per session before these rules are applied so that enough traffic is seen in the session in order for the DPI engine to reach a determination.

2.3. Application groups

Several applications can be combined in an application group. Application names, types, and protocols can be mixed within a group. The group matches any of the specified name, type, or protocol rules - ie the rules are OR'd together.

user@danos2009# set resources group application-group AG1 engine ndpi type chat
user@danos2009# set resources group application-group AG1 engine ndpi type shopping
user@danos2009# set resources group application-group AG1 engine ndpi type game

user@danos2009# set resources group application-group AG1 engine ndpi name ebay
user@danos2009# set resources group application-group AG1 engine ndpi name facebook
user@danos2009# set resources group application-group AG1 engine ndpi name youtube

The application group is configured in an application firewall rule, together with the action to be performed on any traffic matching the group:

user@danos2009# set security application firewall name SAF1 rule 40 group AG1
user@danos2009# set security application firewall name SAF1 rule 40 action drop

As above, the application firewall is referenced from the regular firewall. The application firewall is configured under "session" because a stateful firewall is required for DPI.

user@danos2009# set security firewall name SF1 rule 10 session application firewall SAF1
user@danos2009# set security firewall name SF1 rule 10 protocol tcp 
user@danos2009# set security firewall name SF1 rule 10 action accept

2.4. User-defined applications

User-defined applications can be defined using L3 / L4 rules using the "set service application... " command:

user@danos2009# set service application rule 10 ?
Possible Completions:
   <Enter>        Execute the current command
   description    Rule description
 > destination    Destination parameters
   disable        Disable rule
   dscp           DSCP value to match in an incoming IP header
   dscp-group     Group of DSCP values to match in an incoming IP header
   ethertype      Ethertype to match (name or hex or decimal)
 > icmp           ICMP for IPv4
 > icmpv6         ICMP for IPv6
 > ipv6-route     IPv6 route
   log            Enable logging for rule
   pcp            802.1 priority code point to match (0 to 7)
   protocol       IP L4 protocol to match (name, number or leave unconfigured for all)
   protocol-group Group of IP L4 protocols to match
 > source         Source parameters
 > tcp            TCP parameters
 > then           Specify actions

Rules consist of two parts: zero or more match criteria, and one or more "then" actions.

All of the matching criteria must match - ie the rules are AND'd together.

The "then" action specifies the application name, protocol, or type to be used for traffic matching the rule:

user@danos2009# set service application rule 30 then ?
Possible Completions:
   name     Specify application name
   protocol Specify application protocol
+> type     Specify application type

For example, if subnet 10.1.1.0/28 only contains webex servers, the traffic coming from those servers can be classified as application name webex and application type video:

user@danos2009# set service application rule 10 source address 10.1.1.0/28 
user@danos2009# set service application rule 10 then name webex
user@danos2009# set service application rule 10 then type video

User-defined applications are configured in application firewalls or application groups as shown earlier, except that the "user" engine is used:

user@danos2009# set resources group application-group AG1 engine user name webex 
user@danos2009# set resources group application-group AG1 engine user type video
user@danos2009# set resources group application-group AG1 engine user protocol citrix

user@danos2009# set security application firewall name SAF1 rule 50 engine user name webex
user@danos2009# set security application firewall name SAF1 rule 50 action accept

Application groups can contain a mixture of nDPI and user-defined applications. The group matches any of the specified engine, name, type, or protocol rules - ie the rules are OR'd together.

user@danos2009# set resources group application-group AG1 engine ndpi name ebay
user@danos2009# set resources group application-group AG1 engine ndpi name facebook
user@danos2009# set resources group application-group AG1 engine ndpi name youtube

user@danos2009# set resources group application-group AG1 engine user name webex 
user@danos2009# set resources group application-group AG1 engine user type voice
user@danos2009# set resources group application-group AG1 engine user protocol citrix

3. Show commands

3.1. show session table application

Provided at least one DPI rule is configured, the "show session table application" command will show application information associated with each session. There is no output if no DPI rules are configured.

The columns are:

Conn ID	the connection ID as shown in the other "show session table ..." outputs.
Engine	which engine classified this traffic.
App-name	the application name according to this DPI engine.
L5-proto-name	the layer 5 protocol according to this DPI engine.
Offloaded	"false" if the engine still needs to see more packets. "true" if the engine has made a final determination.
Error	"true" if a DPI error occurred. "false" otherwise.
Fwd-pkts	the number of packets observed by the DPI engine in the forwards direction prior to offloading.
Fwd-bytes	the number of bytes observed by the DPI engine in the forwards direction prior to offloading.
Bwd-pkts	the number of packets observed by the DPI engine in the backwards direction prior to offloading.
Bwd-bytes	the number of bytes observed by the DPI engine in the backwards direction prior to offloading.
Type	the application type according to this DPI engine.

nDPI information will be shown if at least one nDPI rule is configured:

user@danos2009:~$ show session table application
Conn ID   Engine    App-name        L5-proto-name   Offloaded  Error  Fwd-pkts  Fwd-bytes  Bwd-pkts  Bwd-bytes  Type
-------   ------    --------        -------------   ---------  -----  --------  ---------  --------  ---------  ----
10        ndpi      Unknown         SSH             true       false  5         1409       4         1081       RemoteAccess
11        ndpi      Unknown         HTTP            true       false  3         136        2         126        Web
12        ndpi      Unknown         TLS             true       false  3         517        3         1436       Web
14        ndpi      LinkedIn        TLS             true       false  3         517        1         0          SocialNetwork
15        ndpi      YouTube         TLS             true       false  3         517        1         0          Media

User-defined application information will be shown if at least one user-defined application rule is configured:

user@danos2009:~$ show session table application
Conn ID   Engine    App-name        L5-proto-name   Offloaded  Error  Fwd-pkts  Fwd-bytes  Bwd-pkts  Bwd-bytes  Type
-------   ------    --------        -------------   ---------  -----  --------  ---------  --------  ---------  ----
20        user      UD_NAME1        UD_PROTO1       true       false  1         0          0         0          UD_TYPE1

Both nDPI and user-defined application information will be shown for each session when at least one nDPI and one user-defined application rule are configured:

user@danos2009:~$ show session table application
Conn ID   Engine    App-name        L5-proto-name   Offloaded  Error  Fwd-pkts  Fwd-bytes  Bwd-pkts  Bwd-bytes  Type
-------   ------    --------        -------------   ---------  -----  --------  ---------  --------  ---------  ----
23        user      utube           None            true       false  1         0          0         0          video
23        ndpi      YouTube         TLS             true       false  3         517        1         0          Media

3.2. Journal logging

When firewall logging is enabled and DPI information is available for the session, this will be included in the session create, update, and delete logs seen in the system journal:

user@danos2009# set system session log creation
user@danos2009# set system session log deletion
user@danos2009# set system session log periodic 60

user@danos2009:~$ journalctl | grep SESSION_
FIREWALL: SESSION_CREATE duration=0.692 ifname=dp0p1s2 session-id=22 proto=tcp(6) dir=out addr=10.0.0.1->157.240.1.35 port=59652->443 fw-rule=DPI:200 engine=ndpi app-name=Facebook proto-name=TLS type=SocialNetwork
FIREWALL: SESSION_CREATE duration=2.002 ifname=dp0p1s2 session-id=7 proto=tcp(6) dir=out addr=10.0.0.1->212.58.233.253 port=52980->443 fw-rule=DPI:200 engine=user app-name=BBC proto-name=MYWEB type=MYNEWS

4. Examples

4.1. An application firewall allows access to permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES" application firewall.

# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443

# Application firewall
#   - accept specific applications
#   - all other applications are dropped by default
set security application firewall name ALLOWED-SITES rule 100 action accept
set security application firewall name ALLOWED-SITES rule 100 engine ndpi name google
set security application firewall name ALLOWED-SITES rule 200 action accept
set security application firewall name ALLOWED-SITES rule 200 engine ndpi name linkedin
 
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
 
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall ALLOWED-SITES
 
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
 
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI

4.2. An application firewall is used with an application group to allow access to some permitted websites while blocking all other web traffic

Additional sites would be allowed by adding rules to the "ALLOWED-SITES-GROUP" application group.

# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
 
# Application group
set resources group application-group ALLOWED-SITES-GROUP engine ndpi name linkedin
set resources group application-group ALLOWED-SITES-GROUP engine ndpi name google
 
# Application firewall
#   - accept applications in the "WEB-SITES" application group
#   - drop all other applications
set security application firewall name WEB-TRAFFIC rule 100 action accept
set security application firewall name WEB-TRAFFIC rule 100 group ALLOWED-SITES-GROUP
set security application firewall name WEB-TRAFFIC no-match-action drop
 
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
 
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC
 
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
 
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI

4.3. An application firewall is used with an application group to block http requests while allowing https requests

HTTP requests would be allowed by adding http to the "WEB-APPS-GROUP" application group.

# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
 
# Application group
set resources group application-group WEB-APPS-GROUP engine ndpi protocol tls
 
# Application firewall
#   - accept applications in the "WEB-APPS" application group
#   - drop all other applications
set security application firewall name WEB-TRAFFIC rule 100 action accept
set security application firewall name WEB-TRAFFIC rule 100 group WEB-APPS-GROUP
set security application firewall name WEB-TRAFFIC no-match-action drop
 
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
 
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall WEB-TRAFFIC
 
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
 
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI

4.4. Traffic destined to the BBC news web site is identified with a user-defined name, protocol, and type

The web site is served by a range of addresses.

# Ports for web traffic
set resources group port-group WEB port 80
set resources group port-group WEB port 443
 
# Address group
set resources group address-group BBC-SITE address-range 212.0.0.0 to 212.255.255.255
 
# User-defined application
set service application rule 100 destination address BBC-SITE
set service application rule 100 then name MYNEWS
set service application rule 100 then protocol MYWEB
set service application rule 100 then type MYNEWS
 
# Application firewall
#   - accept traffic to the BBC
#   - drop all other applications
set security application firewall name BBC-TRAFFIC rule 100 action accept
set security application firewall name BBC-TRAFFIC rule 100 engine user name MYNEWS
set security application firewall name BBC-TRAFFIC no-match-action drop
 
# Allow DNS traffic
set security firewall name DPI rule 100 action accept
set security firewall name DPI rule 100 destination address 8.8.8.8
set security firewall name DPI rule 100 session
 
# Send all web traffic through the application firewall
set security firewall name DPI rule 200 action accept
set security firewall name DPI rule 200 protocol tcp
set security firewall name DPI rule 200 destination port WEB
set security firewall name DPI rule 200 session application firewall BBC-TRAFFIC
 
# Default action
set security firewall name DPI rule 1000 action accept
set security firewall name DPI rule 1000 session
 
# Apply firewall to interface
set interfaces dataplane dp0p1s2 firewall out DPI

4.5 An application firewall is applied to traffic entering or leaving a GRE tunnel

Tunneled telnet and SSH traffic are dropped.

# Group of applications to be blocked
set resources group application-group BLOCKED engine ndpi name telnet
set resources group application-group BLOCKED engine ndpi name ssh

# Application firewall drops applications in the group
# while accepting other traffic
set security application firewall name APPFW no-match-action accept
set security application firewall name APPFW rule 100 action drop
set security application firewall name APPFW rule 100 group BLOCKED

# Firewall
set security firewall name SFW rule 100 action accept
set security firewall name SFW rule 100 protocol tcp
set security firewall name SFW rule 100 session application firewall APPFW

# Default action
set security firewall name SFW rule 1000 action accept
set security firewall name SFW rule 1000 session

# GRE tunnel configuration
set interfaces tunnel tun1 encapsulation gre
set interfaces tunnel tun1 address 15.0.0.1/24
set interfaces tunnel tun1 local-ip 128.0.0.11
set interfaces tunnel tun1 remote-ip 128.0.0.13

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

# Apply firewall to tunnel
set interfaces tunnel tun1 firewall in SFW

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

# Apply firewall to tunnel
set interfaces tunnel tun1 firewall out SFW

4.6 An application firewall is applied to traffic entering or leaving a VFP IPSec tunnel

Tunneled telnet and SSH traffic are dropped.

# Group of applications to be blocked
set resources group application-group BLOCKED engine ndpi name telnet
set resources group application-group BLOCKED engine ndpi name ssh

# Application firewall drops applications in the group
# while accepting other traffic
set security application firewall name APPFW no-match-action accept
set security application firewall name APPFW rule 100 action drop
set security application firewall name APPFW rule 100 group BLOCKED

# Firewall
set security firewall name SFW rule 100 action accept
set security firewall name SFW rule 100 protocol tcp
set security firewall name SFW rule 100 session application firewall APPFW

# Default action
set security firewall name SFW rule 1000 action accept
set security firewall name SFW rule 1000 session

# VFP configuration
set interfaces virtual-feature-point vfp1 address 169.254.0.1/32

set security vpn ipsec esp-group group1 lifetime 600
set security vpn ipsec esp-group group1 proposal 1 encryption aes256
set security vpn ipsec ike-group group1 lifetime 3000
set security vpn ipsec ike-group group1 proposal 1 encryption aes256
set security vpn ipsec site-to-site peer 128.0.0.13 authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer 128.0.0.13 authentication pre-shared-secret '********'
set security vpn ipsec site-to-site peer 128.0.0.13 default-esp-group group1
set security vpn ipsec site-to-site peer 128.0.0.13 ike-group group1
set security vpn ipsec site-to-site peer 128.0.0.13 local-address 128.0.0.11
set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 local prefix 12.0.0.0/24
set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 remote prefix 13.0.0.0/24

set security vpn ipsec site-to-site peer 128.0.0.13 tunnel 1 uses vfp1

Traffic entering the vRouter from the tunnel is firewalled by applying the firewall in the “in” direction:

# Apply firewall to tunnel
set interfaces virtual-feature-point vfp1 firewall in SFW

Traffic leaving the vRouter through the tunnel is firewalled by applying the firewall in the “out” direction:

# Apply firewall to tunnel
set interfaces virtual-feature-point vfp1 firewall out SFW

5. Debugging

5.1. show session table application

Enable any DPI rule. Examine the "show session table application" output to see how the traffic was classified, then modify the rule accordingly.

Pay particular attention to whether the application appears in the "App-name" or "L5-proto-name" column. eg as seen below, "LinkedIn" and "YouTube" are application names, while SSH is a protocol:

user@danos2009:~$ show session table application
Conn ID   Engine    App-name        L5-proto-name   Offloaded  Error  Fwd-pkts  Fwd-bytes  Bwd-pkts  Bwd-bytes  Type                
-------   ------    --------        -------------   ---------  -----  --------  ---------  --------  ---------  ----                
14        ndpi      LinkedIn        TLS             true       false  3         517        1         0          SocialNetwork       
15        ndpi      YouTube         TLS             true       false  3         517        1         0          Media               
18        ndpi      Unknown         SSH             true       false  5         1409       4         1081       RemoteAccess