App-Detect
These scenarios check the basic functions in app-detect feature.
Test App-Detect HTTP-Host
Description
DUT0 configures the HTTP application detector. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that it is identified as HTTP and the destination hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.714 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.714/0.714/0.714/0.000 ms
Step 4: Run the command file copy http://10.215.168.1/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 968 0 968 0 0 101k 0 --:--:-- --:--:-- --:--:-- 105k
Step 5: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=51564 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=51564 packets=4 bytes=1351 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1239] mark=0 use=3 appdetect[L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=591 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=591 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect HTTP-Host Chained App-ID
Description
DUT0 configures the HTTP application detector together with app-detect chained storage mode. DUT1 acts as a client behind DUT0 and downloads a file via HTTP. The connection in DUT0 is then monitored to verify that all detected App-ID results are stored together in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth1 address 192.168.100.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect http set system conntrack app-detect http-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.957 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.957/0.957/0.957/0.000 ms
Step 4: Run the command file copy http://10.215.168.1/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 968 0 968 0 0 134k 0 --:--:-- --:--:-- --:--:-- 157k
Step 5: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80\shttp\-host:10.215.168.1\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=34204 dport=80 packets=6 bytes=574 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=34204 packets=4 bytes=1351 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1239] mark=0 use=3 appdetect[L3:6;L4:80 http-host:10.215.168.1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=592 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=592 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Test App-Detect DNS-Host
Description
DUT0 configures the DNS application detector. DUT1 acts as a client that performs a DNS lookup through DUT0 to DUT2, which runs a DNS server. The connection in DUT0 is then monitored to verify that the queried hostname appears in the appdetect annotation.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=0.790 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.790/0.790/0.790/0.000 ms
Step 5: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=192.168.100\.2 dst=192.168.200\.2.+dport=53.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=593 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=593 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=32965 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=32965 packets=1 bytes=73 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=43635 dport=53 packets=1 bytes=57 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=43635 packets=1 bytes=57 mark=0 use=1 appdetect[L4:53] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Test App-Detect DNS-Host Continuous Resolution
Description
Test case to check DNS-Host with continuous DNS resolution
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 10.215.168.0/24 next-hop 192.168.200.1 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 local app-id custom 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=1.05 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.053/1.053/1.053/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dns-host disable-continuous-resolution
Note
Send DNS query from external Linux host to DUT0 to trigger DNS detection and continuous resolution, the following outputs are shown:
Show output
; <<>> DiG 9.18.49-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 1teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37833 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1teldat.com. IN A ;; ANSWER SECTION: 1teldat.com. 0 IN A 172.30.0.0 ;; Query time: 4 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Wed Jun 03 11:42:25 UTC 2026 ;; MSG SIZE rcvd: 56 ; <<>> DiG 9.18.49-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 2teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56264 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2teldat.com. IN A ;; ANSWER SECTION: 2teldat.com. 0 IN A 172.30.0.1 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Wed Jun 03 11:42:25 UTC 2026 ;; MSG SIZE rcvd: 56
Step 6: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=10.215.168.1 dst=192.168.200\.2.+sport=8000.*dport=53.*packets=2.*appdetect\[L4:53\sdns\-host:1teldat.com\]Show output
udp 17 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 [OFFLOAD, packets=0 bytes=0 packets=1 bytes=84] mark=0 use=2 appdetect[L4:53 dns-host:1teldat.com] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 7: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s824ms
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output does not match the following regular expressions:
172.30.0.1\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s720ms
Step 9: Run the command system conntrack clear on DUT0 and expect the following output:
Show output
Connection tracking table has been emptied
Step 10: Modify the following configuration lines in DUT0 :
delete system conntrack app-detect dns-host disable-continuous-resolution
Note
Send DNS query from external Linux host to DUT0 to trigger DNS detection and continuous resolution, the following outputs are shown:
Show output
; <<>> DiG 9.18.49-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 1teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43823 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1teldat.com. IN A ;; ANSWER SECTION: 1teldat.com. 0 IN A 172.30.0.0 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Wed Jun 03 11:42:26 UTC 2026 ;; MSG SIZE rcvd: 56 ; <<>> DiG 9.18.49-1~deb12u1-Debian <<>> @192.168.200.2 -b 10.215.168.1#8000 2teldat.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2teldat.com. IN A ;; ANSWER SECTION: 2teldat.com. 0 IN A 172.30.0.1 ;; Query time: 0 msec ;; SERVER: 192.168.200.2#53(192.168.200.2) (UDP) ;; WHEN: Wed Jun 03 11:42:26 UTC 2026 ;; MSG SIZE rcvd: 56
Step 11: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
src=10.215.168.1 dst=192.168.200\.2.+sport=8000.*dport=53.*packets=2.*appdetect\[L4:53\sdns\-host:2teldat.com\]Show output
udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s840ms 172.30.0.1 U6:2002 4m59s852ms
Step 13: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.1\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s716ms 172.30.0.1 U6:2002 4m59s728ms
Step 14: Ping the IP address 172.30.0.0 from DUT1:
admin@DUT1$ ping 172.30.0.0 count 1 size 56 timeout 1Show output
PING 172.30.0.0 (172.30.0.0) 56(84) bytes of data. 64 bytes from 172.30.0.0: icmp_seq=1 ttl=63 time=0.940 ms --- 172.30.0.0 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.940/0.940/0.940/0.000 ms
Step 15: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=595 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=595 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 16: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*3Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 3 Matches in dynamic dictionaries 3 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 17: Ping the IP address 172.30.0.1 from DUT1:
admin@DUT1$ ping 172.30.0.1 count 1 size 56 timeout 1Show output
PING 172.30.0.1 (172.30.0.1) 56(84) bytes of data. 64 bytes from 172.30.0.1: icmp_seq=1 ttl=63 time=0.403 ms --- 172.30.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms
Step 18: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.1.*appdetect\[U6:2002\]Show output
udp 17 29 src=10.215.168.1 dst=192.168.200.2 sport=8000 dport=53 packets=2 bytes=160 src=192.168.200.2 dst=10.215.168.1 sport=53 dport=8000 packets=2 bytes=168 mark=0 use=1 appdetect[L4:53 dns-host:2teldat.com] icmp 1 29 src=192.168.100.2 dst=172.30.0.1 type=8 code=0 id=596 packets=1 bytes=84 src=172.30.0.1 dst=192.168.100.2 type=0 code=0 id=596 packets=1 bytes=84 mark=0 use=1 appdetect[U6:2002] icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=595 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=595 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] conntrack v1.4.7 (conntrack-tools): 3 flow entries have been shown.
Step 19: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*2(.*\n)+Modifications in IP-cache\s*3Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 2 Modifications in IP-cache 3 Matches in dynamic dictionaries 3 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Test App-Detect IP-Cache
Description
DUT0 configures DNS detection with a custom dictionary and together with app-detect chained storage mode. DUT1 pings a hostname resolved by DUT2 through DUT0. The IP-cache in DUT0 is monitored to verify that it contains the resolved address and its matching App-ID. The test also verifies that IP-cache entries expire after the configured timeout.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces dummy dum1 address 172.30.0.0/32 set interfaces dummy dum2 address 172.30.0.1/32 set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 172.30.0.0/31 next-hop 192.168.100.1 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set protocols static route 172.30.0.0/31 next-hop 192.168.200.2 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache timeout 5
Step 5: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=1.05 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.047/1.047/1.047/0.000 ms
Step 6: Ping the IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.370 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.370/0.370/0.370/0.000 ms
Step 7: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
icmp\s+.*src=192.168.100\.2 dst=172.30.0.0.*appdetect\[U6:1001\]Show output
icmp 1 29 src=192.168.100.2 dst=172.30.0.0 type=8 code=0 id=598 packets=1 bytes=84 src=172.30.0.0 dst=192.168.100.2 type=0 code=0 id=598 packets=1 bytes=84 mark=0 use=1 appdetect[U6:1001] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=57296 dport=53 packets=1 bytes=69 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=57296 packets=1 bytes=94 mark=0 use=1 appdetect[L4:53] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=597 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=597 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 29 src=192.168.100.2 dst=192.168.200.2 sport=55194 dport=53 packets=2 bytes=114 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=55194 packets=2 bytes=130 mark=0 use=1 appdetect[L4:53 dns-host:1teldat.com] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s780ms
Step 9: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Matches in IP-cache\s*1(.*\n)+Modifications in IP-cache\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 1 Modifications in IP-cache 1 Matches in dynamic dictionaries 1 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 10: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output does not match the following regular expressions:
172.30.0.0\s*U6:1001
Step 11: Ping the IP address 1teldat.com from DUT1:
admin@DUT1$ ping 1teldat.com count 1 size 56 timeout 1Show output
PING 1teldat.com (172.30.0.0) 56(84) bytes of data. 64 bytes from 1teldat.com (172.30.0.0): icmp_seq=1 ttl=63 time=0.492 ms --- 1teldat.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.492/0.492/0.492/0.000 ms
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4s924ms
Test App-Detect IP-Cache Blacklist
Description
DUT0 configures DNS detection and a custom dictionary with two entries that map different App-IDs to the same IP address, causing App-ID flapping. The test first verifies that flapping is detected without blacklisting. Then the IP-cache blacklist option is enabled and the test verifies that the flapping address is blacklisted.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth1 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name 1teldat.com inet 172.30.0.0 set service dns static host-name 2teldat.com inet 172.30.0.0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 192.168.200.0/24 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth1 vif 200 address 192.168.200.1/24 set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn 1teldat.com set system conntrack app-detect dictionary 1 local app-id custom 2002 fqdn 2teldat.com set system conntrack app-detect dns-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=1.15 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.149/1.149/1.149/0.000 ms
Step 5: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 6: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s912ms
Step 7: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s904ms
Step 9: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 10: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:1001Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:1001 4m59s924ms
Step 11: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 12: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*U6:2002Show output
-------------------------------------- IP Application ID Expires in -------------------------------------- 172.30.0.0 U6:2002 4m59s928ms
Step 13: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Modifications in IP-cache\s*4(.*\n)+Ips blacklisted from cache due to appid flapping\s*0Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 4 Matches in dynamic dictionaries 4 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 0 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 14: Run the command system conntrack app-detect show ip-blacklist-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s756ms
Step 15: Modify the following configuration lines in DUT0 :
set system conntrack app-detect ip-cache blacklist
Step 16: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 17: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 18: Run the command nslookup 1teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 1teldat.com Address: 172.30.0.0 ** server can't find 1teldat.com: REFUSED
Step 19: Run the command nslookup 2teldat.com dns-server 192.168.200.2 on DUT1 and check whether the output matches the following regular expressions:
Address:\s*172.30.0.0Show output
Server: 192.168.200.2 Address: 192.168.200.2#53 Name: 2teldat.com Address: 172.30.0.0 ** server can't find 2teldat.com: REFUSED
Step 20: Run the command system conntrack app-detect show on DUT0 and check whether the output matches the following regular expressions:
Modifications in IP-cache\s*8(.*\n)+Ips blacklisted from cache due to appid flapping\s*1Show output
--------------------------------------------------- App-detect Stats # --------------------------------------------------- Matches in static dictionaries 0 Matches in IP-cache 0 Modifications in IP-cache 8 Matches in dynamic dictionaries 8 Times appid has been refreshed 0 Ips blacklisted from cache due to appid flapping 1 Matches in DNS CNAME cache 0 Entries in DNS CNAME cache 0
Step 21: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
^s*$
Step 22: Run the command system conntrack app-detect show ip-blacklist-cache on DUT0 and check whether the output matches the following regular expressions:
172.30.0.0\s*3Show output
-------------------------------- IP Changes Expires in -------------------------------- 172.30.0.0 3 14m59s736ms
Test App-Detect IP-Cache Chained App-ID
Description
DUT0 configures HTTP detection, DNS detection and a custom dictionary, together with app-detect chained storage mode and refresh-flow-appid option. DUT1 downloads a file via HTTP through DUT0, resolved by DUT2. On the first request the appdetect annotation shows the App-ID chain in real-time detection order. After clearing conntrack, a second request verifies that the IP-cache match appears first in the App-ID chain of the connection.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 vif 200 address 192.168.200.2/24 set protocols static route 192.168.100.0/24 next-hop 192.168.200.1 set service dns forwarding disable-local-service set service dns forwarding name-server 127.0.0.1 set service dns static host-name enterprise.opentok.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 vif 100 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set service dns resolver name-server 192.168.200.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 100 address masquerade set interfaces ethernet eth0 vif 100 address 192.168.100.1/24 set interfaces ethernet eth0 vif 200 address 192.168.200.1/24 set system conntrack app-detect app-id-storage chained set system conntrack app-detect dictionary 1 local app-id custom 1001 fqdn enterprise.opentok.com set system conntrack app-detect http set system conntrack app-detect http-host set system conntrack app-detect refresh-flow-appid set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.200.2 from DUT1:
admin@DUT1$ ping 192.168.200.2 count 1 size 56 timeout 1Show output
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data. 64 bytes from 192.168.200.2: icmp_seq=1 ttl=63 time=1.04 ms --- 192.168.200.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.044/1.044/1.044/0.000 ms
Step 5: Ping the IP address 10.215.168.1 from DUT1:
admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.460 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.460/0.460/0.460/0.000 ms
Step 6: Run the command file copy http://enterprise.opentok.com/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 968 0 968 0 0 110k 0 --:--:-- --:--:-- --:--:-- 118k
Step 7: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[L3:6;L4:80;U6:1001\shttp\-host:enterprise.opentok.com\]Show output
tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=58514 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=58514 packets=4 bytes=1351 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1239] mark=0 use=3 appdetect[L3:6;L4:80;U6:1001 http-host:enterprise.opentok.com] icmp 1 29 src=192.168.100.2 dst=192.168.200.2 type=8 code=0 id=601 packets=1 bytes=84 src=192.168.200.2 dst=192.168.100.2 type=0 code=0 id=601 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] icmp 1 29 src=192.168.100.2 dst=10.215.168.1 type=8 code=0 id=602 packets=1 bytes=84 src=10.215.168.1 dst=10.215.168.64 type=0 code=0 id=602 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] udp 17 src=192.168.100.2 dst=192.168.200.2 sport=34436 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=34436 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] conntrack v1.4.7 (conntrack-tools): 4 flow entries have been shown.
Step 8: Run the command system conntrack app-detect show ip-cache on DUT0 and check whether the output matches the following regular expressions:
10.215.168.1\s*U6:1001Show output
---------------------------------------- IP Application ID Expires in ---------------------------------------- 10.215.168.1 U6:1001 4m59s816ms
Step 9: Run the command system conntrack clear on DUT0 and expect the following output:
Show output
Connection tracking table has been emptied
Step 10: Run the command file copy http://enterprise.opentok.com/~robot/ running://index.html force on DUT1 and expect the following output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 968 0 968 0 0 245k 0 --:--:-- --:--:-- --:--:-- 315k
Step 11: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
tcp\s+.*src=192.168.100\.2 dst=10.215.168.1.+dport=80.*appdetect\[U6:1001;L3:6;L4:80\shttp\-host:enterprise.opentok.com\]Show output
udp 17 src=192.168.100.2 dst=192.168.200.2 sport=51209 dport=53 packets=2 bytes=136 src=192.168.200.2 dst=192.168.100.2 sport=53 dport=51209 packets=2 bytes=152 [OFFLOAD, packets=0 bytes=0 packets=0 bytes=0] mark=0 use=2 appdetect[L3:17;L4:53] tcp 6 src=192.168.100.2 dst=10.215.168.1 sport=58526 dport=80 packets=6 bytes=584 src=10.215.168.1 dst=10.215.168.64 sport=80 dport=58526 packets=4 bytes=1351 [ASSURED] [OFFLOAD, packets=1 bytes=52 packets=2 bytes=1239] mark=0 use=3 appdetect[U6:1001;L3:6;L4:80 http-host:enterprise.opentok.com] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.