App-Detect
These scenarios check the basic functions in app-detect feature.
Test App-Detect HTTP-Host
Description
DUT0 configures the HTTP application detector. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that it is identified as HTTP and the destination hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.444 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.444/0.444/0.444/0.000 ms
Step 4: Run the command file copy http://10.215.168.1/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1095 0 1095 0 0 411k 0 --:--:-- --:--:-- --:--:-- 534k
Step 5: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=55084 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=55084 packets=4 bytes=1478 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1366] mark=0 use=3 appdetect[L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=289 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=289 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect HTTP-Host Chained App-ID
Description
DUT0 configures the HTTP application detector together with app-detect chained storage mode. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that all detected App-ID results are stored together in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.419 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.419/0.419/0.419/0.000 ms
Step 4: Run the command file copy http://10.215.168.1/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1095 0 1095 0 0 395k 0 --:--:-- --:--:-- --:--:-- 534k
Step 5: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=52160 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=52160 packets=4 bytes=1478 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1366] mark=0 use=3 appdetect[L3:6;L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=290 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=290 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect DNS-Host
Description
DUT0 configures the DNS application detector. DUT1 acts as a client that performs a DNS lookup through DUT0 to DUT2, which runs a DNS server. The connection in DUT0 is then monitored to verify that the queried hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.752 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.752/0.752/0.752/0.000 ms
Step 5: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=192.168.100\.2 dst=192.168.200\.2.+dport=53.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=48115 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=48115 packets=1 bytes=57 mark=0 use=1 appdetect[L4:53] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=291 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=291 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=59654 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=59654 packets=1 bytes=73 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test App-Detect DNS-Host Continuous Resolution
Description
Test case to check DNS-Host with continuous DNS resolution
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 10.215.168.0/24 next-hop 192.168.200.1 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 local app-id custom 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.858 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.858/0.858/0.858/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dns-host disable-continuous-resolution
Note
Send DNS query from external Linux host to DUT0 to trigger DNS detection and continuous resolution, the following outputs are shown:
Show output
; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 1teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23438 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1teldat.com. IN A ;; ANSWER SECTION: 1teldat.com. 0 IN A 172.30.0.0 ;; Query time: 4 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Tue May 19 15:44:41 UTC 2026 ;; MSG SIZE rcvd: 56 ; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 2teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43873 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2teldat.com. IN A ;; ANSWER SECTION: 2teldat.com. 0 IN A 172.30.0.1 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Tue May 19 15:44:41 UTC 2026 ;; MSG SIZE rcvd: 56
Step 6: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=10.215.168.1 dst=192.168.200\.2.+sport=8000.*dport=53.*packets=2.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
udp 17 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 [OFFLOAD, packets=0 bytes=0 packets=1 bytes=84] mark=0 use=2 appdetect[L4:53 dns-host:1teldat.com] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 7: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s840ms
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output does not match the following regular expressions:
172.30.0.1\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s744ms
Step 9: Run the command system conntrack clear on DUT0 and expect the following output:
Show output
Connection tracking table has been emptied
Step 10: Modify the following configuration lines in DUT0 :
delete system conntrack app-detect dns-host disable-continuous-resolution
Note
Send DNS query from external Linux host to DUT0 to trigger DNS detection and continuous resolution, the following outputs are shown:
Show output
; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 1teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3380 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1teldat.com. IN A ;; ANSWER SECTION: 1teldat.com. 0 IN A 172.30.0.0 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Tue May 19 15:44:42 UTC 2026 ;; MSG SIZE rcvd: 56 ; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 2teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2teldat.com. IN A ;; ANSWER SECTION: 2teldat.com. 0 IN A 172.30.0.1 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Tue May 19 15:44:42 UTC 2026 ;; MSG SIZE rcvd: 56
Step 11: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=10.215.168.1 dst=192.168.200\.2.+sport=8000.*dport=53.*packets=2.*appdetect\[L4:53\sdns\-host:2teldat.com\]Show output
udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s860ms 172.30.0.1 U6:2002 4m59s884ms
Step 13: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.1\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s768ms 172.30.0.1 U6:2002 4m59s792ms
Step 14: Ping the IP address 172.30.0.0 from DUT1:
admin@DUT1$ ping 172.30.0.0 count 1 size 56 timeout 1Show output
PING 172.30.0.0 (172.30.0.0) 56(84) bytes of data. 64 bytes from 172.30.0.0: icmp_seq=1 ttl=63 time=0.410 ms --- 172.30.0.0 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.410/0.410/0.410/0.000 ms
Step 15: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=293 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=293 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 16: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*3Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 3 Matches in dynamic dictionaries 3 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 17: Ping the IP address 172.30.0.1 from DUT1:
admin@DUT1$ ping 172.30.0.1 count 1 size 56 timeout 1Show output
PING 172.30.0.1 (172.30.0.1) 56(84) bytes of data. 64 bytes from 172.30.0.1: icmp_seq=1 ttl=63 time=0.411 ms --- 172.30.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.411/0.411/0.411/0.000 ms
Step 18: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.1.*appdetect\[U6:2002\]Show output
icmp 1 29 src=192.168.100.2 dst=172.30.0.1 type=8 code=0 id=294 packets=1 bytes=84 src=172.30.0.1 dst=192.168.100.2 type=0 code=0 id=294 packets=1 bytes=84 mark=0 use=1 appdetect[U6:2002] icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=293 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=293 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Step 19: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*2(.*\n)+Modifications in IP-cache\s*3Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 2 Modifications in IP-cache 3 Matches in dynamic dictionaries 3 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Test App-Detect IP-Cache
Description
DUT0 configures DNS detection with a custom dictionary and together with app-detect chained storage mode. DUT1 pings a hostname resolved by DUT2 through DUT0. The IP-cache in DUT0 is monitored to verify that it contains the resolved address and its matching App-ID. The test also verifies that IP-cache entries expire after the configured timeout.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache timeout 5
Step 5: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.907 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.907/0.907/0.907/0.000 ms
Step 6: Ping the IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.290 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.290/0.290/0.290/0.000 ms
Step 7: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=56214 dport=53 packets=1 bytes=69 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=56214 packets=1 bytes=94 mark=0 use=1 appdetect[L4:53] icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=296 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=296 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=295 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=295 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=52694 dport=53 packets=2 bytes=114 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=52694 packets=2 bytes=130 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s844ms
Step 9: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 1 Matches in dynamic dictionaries 1 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 10: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output does not match the following regular expressions:
172.30.0.0\s*U6:1001
Step 11: Ping the IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.327 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.327/0.327/0.327/0.000 ms
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s940ms
Test App-Detect IP-Cache Blacklist
Description
DUT0 configures DNS detection and a custom dictionary with two entries that map different App-IDs to the same IP address, causing App-ID flapping. The test first verifies that flapping is detected without blacklisting. Then the IP-cache blacklist option is enabled and the test verifies that the flapping address is blacklisted.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 local app-id custom 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.833 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.833/0.833/0.833/0.000 ms
Step 5: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s912ms
Step 7: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s928ms
Step 9: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 10: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s912ms
Step 11: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s924ms
Step 13: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Modifications in IP-cache\s*4(.*\n)+Ips blacklisted from cache due to appid flapping\s*0Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 4 Matches in dynamic dictionaries 4 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 14: Run the command system conntrack app-detect show ip-blacklist-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s768ms
Step 15: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache blacklist
Step 16: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 17: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 18: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 19: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 20: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Modifications in IP-cache\s*8(.*\n)+Ips blacklisted from cache due to appid flapping\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 8 Matches in dynamic dictionaries 8 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 1 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 21: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
^s*$
Step 22: Run the command system conntrack app-detect show ip-blacklist-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*3Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s752ms
Test App-Detect IP-Cache Chained App-ID
Description
DUT0 configures HTTP detection, DNS detection and a custom dictionary, together with app-detect chained storage mode and refresh-flow-appid option. DUT1 downloads a file via HTTP through DUT0, resolved by DUT2. On the first request the appdetect annotation shows the App-ID chain in real-time detection order. After clearing conntrack, a second request verifies that the IP-cache match appears first in the App-ID chain of the connection.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name enterprise.opentok.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth0 vif 200 address 192.168.200.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn enterprise.opentok.com set system conntrack app-detect http set system conntrack app-detect http-host set system conntrack app-detect refresh-flow-appid set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.734 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.734/0.734/0.734/0.000 ms
Step 5: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.415 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.415/0.415/0.415/0.000 ms
Step 6: Run the command file copy http://enterprise.opentok.com/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1095 0 1095 0 0 173k 0 --:--:-- --:--:-- --:--:-- 178k
Step 7: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80;U6:1001\shttp\-host:enterprise.opentok.com\]Show output
icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=299 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=299 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=38470 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=38470 packets=4 bytes=1478 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1366] mark=0 use=3 appdetect[L3:6;L4:80;U6:1001 http-host:enterprise.opentok.com] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=300 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=300 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 src=192.168.100.2 dst=192.168.200.2 sport=55715 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=55715 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
10.215.168.1\s*U6:1001Show output
---------------------------------------- IP Application ID Expires in ---------------------------------------- 10.215.168.1 U6:1001 4m59s856ms
Step 9: Run the command system conntrack clear on DUT0 and expect the following output:
Show output
Connection tracking table has been emptied
Step 10: Run the command file copy http://enterprise.opentok.com/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1095 0 1095 0 0 166k 0 --:--:-- --:--:-- --:--:-- 178k
Step 11: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[U6:1001;L3:6;L4:80\shttp\-host:enterprise.opentok.com\]Show output
udp 17 src=192.168.100.2 dst=192.168.200.2 sport=47499 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=47499 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=38476 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=38476 packets=4 bytes=1478 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1366] mark=0 use=3 appdetect[U6:1001;L3:6;L4:80 http-host:enterprise.opentok.com] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.