App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by a custom dictionary
Description
This example illustrates how to match all traffic in a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id custom -1 set traffic selector SEL rule 1 app-id detected
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.209 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms
Step 3: Ping IP address teldat.es from DUT0:
admin@DUT0$ ping teldat.es count 1 size 56 timeout 1Show output
PING teldat.es (82.223.148.162) 56(84) bytes of data. 64 bytes from llwk187.servidoresdns.net (82.223.148.162): icmp_seq=1 ttl=43 time=13.9 ms --- teldat.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 13.933/13.933/13.933/0.000 ms
Step 4: Run command file copy https://teldat.es running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 243 100 243 0 0 2642 0 --:--:-- --:--:-- --:--:-- 2670
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:33 ssl-host:teldat.es\]Show output
Jun 20 16:31:06.361644 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:06.365014 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:06.365085 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:06.375091 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:06.605811 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:06.847556 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:06.914807 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:07.050467 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:07.105122 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:07.218080 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 20 16:31:07.273152 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:07.380010 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 20 16:31:07.446977 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 20 16:31:07.565142 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:07.683347 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:07.799216 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:07.870001 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:08.001485 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:08.105781 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:08.188411 osdx ubnt-cfgd[14698]: inactive Jun 20 16:31:08.224478 osdx INFO[14720]: FRR daemons did not change Jun 20 16:31:08.356994 osdx kernel: app-detect: module init Jun 20 16:31:08.357055 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:08.360996 osdx kernel: app-detect: expression init Jun 20 16:31:08.361050 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:08.361064 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:08.401001 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:08.693901 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:08.708839 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:08.738031 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:08.905878 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 16:31:09.009148 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 20 16:31:09.242880 osdx file_operation[14964]: using src url: https://teldat.es dst url: running://index.html Jun 20 16:31:09.288097 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2915 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.289114 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2916 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.289199 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2917 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.292990 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=2918 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.293008 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=2921 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.293017 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2920 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.309505 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=2922 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.335375 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=2923 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349001 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2925 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349096 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=2924 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349109 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2926 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.367992 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'.
Step 6: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4586 0 4586 0 0 860k 0 --:--:-- --:--:-- --:--:-- 895k
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:34 http-host:10.215.168.1\]Show output
Jun 20 16:31:06.361644 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:06.365014 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:06.365085 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:06.375091 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:06.605811 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:06.847556 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:06.914807 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:07.050467 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:07.105122 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:07.218080 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id custom -1'. Jun 20 16:31:07.273152 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:07.380010 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 20 16:31:07.446977 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 20 16:31:07.565142 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:07.683347 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:07.799216 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:07.870001 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:08.001485 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:08.105781 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:08.188411 osdx ubnt-cfgd[14698]: inactive Jun 20 16:31:08.224478 osdx INFO[14720]: FRR daemons did not change Jun 20 16:31:08.356994 osdx kernel: app-detect: module init Jun 20 16:31:08.357055 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:08.360996 osdx kernel: app-detect: expression init Jun 20 16:31:08.361050 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:08.361064 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:08.401001 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:08.693901 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:08.708839 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:08.738031 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:08.905878 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 16:31:09.009148 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping teldat.es count 1 size 56 timeout 1'. Jun 20 16:31:09.242880 osdx file_operation[14964]: using src url: https://teldat.es dst url: running://index.html Jun 20 16:31:09.288097 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2915 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.289114 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2916 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.289199 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2917 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.292990 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1492 TOS=0x00 PREC=0x00 TTL=43 ID=2918 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.293008 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=188 TOS=0x00 PREC=0x00 TTL=43 ID=2921 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.293017 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=43 ID=2920 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.309505 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=103 TOS=0x00 PREC=0x00 TTL=43 ID=2922 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=235 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.335375 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=599 TOS=0x00 PREC=0x00 TTL=43 ID=2923 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349001 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2925 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK FIN URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349096 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=43 ID=2924 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK PSH URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.349109 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=82.223.148.162 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2926 DF PROTO=TCP SPT=443 DPT=59894 WINDOW=243 RES=0x00 ACK URGP=0 APPDETECT[U:33 ssl-host:teldat.es] Jun 20 16:31:09.367992 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://teldat.es running://index.html force'. Jun 20 16:31:09.461115 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal show | cat'. Jun 20 16:31:09.643677 osdx file_operation[14986]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 20 16:31:09.652997 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51486 DF PROTO=TCP SPT=80 DPT=39482 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 20 16:31:09.653043 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4806 TOS=0x00 PREC=0x00 TTL=64 ID=51487 DF PROTO=TCP SPT=80 DPT=39482 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:34 http-host:10.215.168.1] Jun 20 16:31:09.668642 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'. Jun 20 16:31:09.672998 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51491 DF PROTO=TCP SPT=80 DPT=39482 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:34 http-host:10.215.168.1]
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.199 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.199/0.199/0.199/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.39.100) 56(84) bytes of data. 64 bytes from ams15s48-in-f4.1e100.net (142.251.39.100): icmp_seq=1 ttl=104 time=34.0 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 34.004/34.004/34.004/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 10.6M 0 --:--:-- --:--:-- --:--:-- 10.8M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18803 0 18803 0 0 38519 0 --:--:-- --:--:-- --:--:-- 38530
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Jun 20 16:31:15.351315 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:15.357882 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:15.357991 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:15.371352 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:15.596070 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:15.878621 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:15.953503 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:16.048419 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:16.104130 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:16.205244 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 20 16:31:16.261405 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:16.364127 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:16.427170 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:16.531105 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:16.604224 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:16.713813 osdx ubnt-cfgd[15258]: inactive Jun 20 16:31:16.749362 osdx INFO[15280]: FRR daemons did not change Jun 20 16:31:16.769689 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:17.046816 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:17.060873 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:17.080095 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:17.230258 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 16:31:17.352015 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 20 16:31:17.501926 osdx file_operation[15490]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 20 16:31:17.527136 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 20 16:31:17.677373 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:17.756988 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 20 16:31:17.845409 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:17.945214 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:18.033021 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show changes'. Jun 20 16:31:18.121271 osdx ubnt-cfgd[15507]: inactive Jun 20 16:31:18.142812 osdx INFO[15513]: FRR daemons did not change Jun 20 16:31:18.321685 osdx kernel: app-detect: module init Jun 20 16:31:18.321737 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:18.321746 osdx kernel: app-detect: expression init Jun 20 16:31:18.321755 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:18.321763 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:18.519011 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:18.520906 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:18.548656 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:18.787136 osdx file_operation[15565]: using src url: https://www.google.com dst url: running://index.html Jun 20 16:31:19.177374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=19587 PROTO=TCP SPT=443 DPT=57634 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181686 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19588 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19589 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181750 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=184 TOS=0x00 PREC=0x00 TTL=111 ID=19591 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181759 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19590 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225213 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=19592 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225702 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=19593 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225741 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=19594 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.233694 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19595 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.259712 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19596 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269685 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=110 ID=19597 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269726 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19598 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269736 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19599 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269744 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19600 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269752 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=2118 TOS=0x00 PREC=0x00 TTL=110 ID=19602 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19604 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273706 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19601 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273721 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19605 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273729 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19606 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273739 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19607 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273747 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19608 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277693 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19609 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19610 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277751 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19611 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277768 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1271 TOS=0x00 PREC=0x00 TTL=110 ID=19612 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.300944 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 20 16:31:19.313699 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19613 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4703 0 4703 0 0 630k 0 --:--:-- --:--:-- --:--:-- 656k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Jun 20 16:31:15.351315 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:15.357882 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:15.357991 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:15.371352 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:15.596070 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:15.878621 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:15.953503 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:16.048419 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:16.104130 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:16.205244 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Jun 20 16:31:16.261405 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:16.364127 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:16.427170 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:16.531105 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:16.604224 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:16.713813 osdx ubnt-cfgd[15258]: inactive Jun 20 16:31:16.749362 osdx INFO[15280]: FRR daemons did not change Jun 20 16:31:16.769689 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:17.046816 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:17.060873 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:17.080095 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:17.230258 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 16:31:17.352015 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 20 16:31:17.501926 osdx file_operation[15490]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 20 16:31:17.527136 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 20 16:31:17.677373 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:17.756988 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 20 16:31:17.845409 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:17.945214 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:18.033021 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show changes'. Jun 20 16:31:18.121271 osdx ubnt-cfgd[15507]: inactive Jun 20 16:31:18.142812 osdx INFO[15513]: FRR daemons did not change Jun 20 16:31:18.321685 osdx kernel: app-detect: module init Jun 20 16:31:18.321737 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:18.321746 osdx kernel: app-detect: expression init Jun 20 16:31:18.321755 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:18.321763 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:18.519011 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:18.520906 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:18.548656 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:18.787136 osdx file_operation[15565]: using src url: https://www.google.com dst url: running://index.html Jun 20 16:31:19.177374 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=19587 PROTO=TCP SPT=443 DPT=57634 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181686 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19588 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181734 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19589 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181750 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=184 TOS=0x00 PREC=0x00 TTL=111 ID=19591 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.181759 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=111 ID=19590 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225213 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=19592 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225702 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=111 ID=19593 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.225741 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=111 ID=19594 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.233694 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19595 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.259712 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19596 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269685 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=110 ID=19597 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269726 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19598 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269736 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19599 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269744 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19600 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.269752 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=2118 TOS=0x00 PREC=0x00 TTL=110 ID=19602 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273682 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19604 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273706 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19601 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273721 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19605 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273729 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19606 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273739 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19607 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.273747 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19608 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277693 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19609 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277737 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19610 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277751 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=19611 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.277768 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1271 TOS=0x00 PREC=0x00 TTL=110 ID=19612 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.300944 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Jun 20 16:31:19.313699 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19613 PROTO=TCP SPT=443 DPT=57634 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Jun 20 16:31:19.444597 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal show | cat'. Jun 20 16:31:19.806100 osdx systemd[1]: Starting osdx-coredump-cleanup.service - Cleanup of Coredump Files... Jun 20 16:31:19.860292 osdx systemd[1]: osdx-coredump-cleanup.service: Deactivated successfully. Jun 20 16:31:19.860427 osdx systemd[1]: Finished osdx-coredump-cleanup.service - Cleanup of Coredump Files. Jun 20 16:31:19.881733 osdx file_operation[15587]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Jun 20 16:31:19.889710 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=28508 DF PROTO=TCP SPT=80 DPT=49470 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 20 16:31:19.889765 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=4923 TOS=0x00 PREC=0x00 TTL=64 ID=28509 DF PROTO=TCP SPT=80 DPT=49470 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 20 16:31:19.893700 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=28513 DF PROTO=TCP SPT=80 DPT=49470 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Jun 20 16:31:19.911820 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=49 time=4.19 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.187/4.187/4.187/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.251.39.100) 56(84) bytes of data. 64 bytes from ams15s48-in-f4.1e100.net (142.251.39.100): icmp_seq=1 ttl=104 time=31.8 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.781/31.781/31.781/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 20 16:31:24.000166 osdx systemd-timedated[13413]: Changed local time to Fri 2025-06-20 16:31:24 UTC Jun 20 16:31:24.001263 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'set date 2025-06-20 16:31:24'. Jun 20 16:31:24.002831 osdx systemd-journald[1666]: Time jumped backwards, rotating. Jun 20 16:31:24.335050 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:24.338846 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:24.338906 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:24.346781 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:24.582090 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:24.820132 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:24.914817 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:25.028693 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:25.129806 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:25.201288 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 20 16:31:25.317626 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 20 16:31:25.374451 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:25.480448 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 20 16:31:25.545679 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 20 16:31:25.643538 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:25.783154 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:25.854853 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:25.965167 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:26.056427 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:26.232277 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:26.347409 osdx ubnt-cfgd[15878]: inactive Jun 20 16:31:26.386109 osdx INFO[15900]: FRR daemons did not change Jun 20 16:31:26.530841 osdx kernel: app-detect: module init Jun 20 16:31:26.530903 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:26.530917 osdx kernel: app-detect: expression init Jun 20 16:31:26.530929 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:26.530941 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:26.578839 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:26.888009 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:26.899683 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:26.917224 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:27.119700 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 20 16:31:27.238909 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 20 16:31:27.412293 osdx file_operation[16141]: using src url: https://www.marca.com dst url: running://index.html Jun 20 16:31:27.438837 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=11840 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438889 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11841 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438898 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11842 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438907 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11843 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438915 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=11844 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.469199 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=11845 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.634854 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11846 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.691522 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11847 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.842452 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11848 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.122497 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11849 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.282152 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11850 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.987427 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11851 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:29.114366 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11852 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:30.778925 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=11854 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.445917 osdx file_operation.py[16141]: Operation aborted by user. Jun 20 16:31:32.458839 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=11855 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.458890 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=11856 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.462797 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.google.com\]Show output
Jun 20 16:31:24.000166 osdx systemd-timedated[13413]: Changed local time to Fri 2025-06-20 16:31:24 UTC Jun 20 16:31:24.001263 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'set date 2025-06-20 16:31:24'. Jun 20 16:31:24.002831 osdx systemd-journald[1666]: Time jumped backwards, rotating. Jun 20 16:31:24.335050 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.0M, max 15.3M, 13.3M free. Jun 20 16:31:24.338846 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:24.338906 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:24.346781 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:24.582090 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:24.820132 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:24.914817 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:25.028693 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:25.129806 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:25.201288 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 20 16:31:25.317626 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Jun 20 16:31:25.374451 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:25.480448 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn teldat'. Jun 20 16:31:25.545679 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Jun 20 16:31:25.643538 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:25.783154 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:25.854853 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:25.965167 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:26.056427 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:26.232277 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:26.347409 osdx ubnt-cfgd[15878]: inactive Jun 20 16:31:26.386109 osdx INFO[15900]: FRR daemons did not change Jun 20 16:31:26.530841 osdx kernel: app-detect: module init Jun 20 16:31:26.530903 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:26.530917 osdx kernel: app-detect: expression init Jun 20 16:31:26.530929 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:26.530941 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:26.578839 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:26.888009 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:26.899683 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:26.917224 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:27.119700 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 20 16:31:27.238909 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Jun 20 16:31:27.412293 osdx file_operation[16141]: using src url: https://www.marca.com dst url: running://index.html Jun 20 16:31:27.438837 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=11840 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438889 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11841 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438898 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11842 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438907 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11843 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.438915 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=11844 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.469199 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=49 ID=11845 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.634854 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11846 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.691522 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11847 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:27.842452 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11848 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.122497 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11849 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.282152 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11850 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:28.987427 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=11851 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:29.114366 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=11852 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:30.778925 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=11854 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.445917 osdx file_operation.py[16141]: Operation aborted by user. Jun 20 16:31:32.458839 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=11855 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.458890 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=11856 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:32.462797 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Jun 20 16:31:32.727148 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal show | cat'. Jun 20 16:31:32.911250 osdx file_operation[16163]: using src url: http://www.google.com dst url: running://index.html Jun 20 16:31:32.985743 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=12835 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022660 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12836 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022752 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12838 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022783 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12839 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022795 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12840 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022807 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12841 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022865 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1230 TOS=0x00 PREC=0x00 TTL=110 ID=12842 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.022984 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12843 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.023105 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12844 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.023241 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12845 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.025221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12837 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.099304 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12846 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.272554 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=12847 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.338585 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12848 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.810558 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12849 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:33.879030 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=12850 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:34.171397 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=48 ID=11857 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:34.234585 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=11858 DF PROTO=TCP SPT=443 DPT=48152 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:34.761786 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12851 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:35.063750 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=12852 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:36.681705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=1380 TOS=0x00 PREC=0x00 TTL=110 ID=12853 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:37.591890 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=12854 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com] Jun 20 16:31:37.857048 osdx file_operation.py[16163]: Operation aborted by user. Jun 20 16:31:37.874009 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://www.google.com running://index.html force'. Jun 20 16:31:37.906838 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=142.251.39.100 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=12855 PROTO=TCP SPT=80 DPT=40398 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.google.com]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.195 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.195/0.195/0.195/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=49 time=4.10 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.101/4.101/4.101/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 13.3M 0 --:--:-- --:--:-- --:--:-- 16.2M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Jun 20 16:31:43.374728 osdx systemd-journald[1666]: Runtime Journal (/run/log/journal/f087f5bdba7243899503b0c034eab41a) is 2.1M, max 15.3M, 13.2M free. Jun 20 16:31:43.376310 osdx systemd-journald[1666]: Received client request to rotate journal, rotating. Jun 20 16:31:43.376368 osdx systemd-journald[1666]: Vacuuming done, freed 0B of archived journals from /run/log/journal/f087f5bdba7243899503b0c034eab41a. Jun 20 16:31:43.387184 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system journal clear'. Jun 20 16:31:43.662394 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 16:31:43.935298 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:44.004590 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 16:31:44.135863 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Jun 20 16:31:44.206171 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 16:31:44.313391 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show working'. Jun 20 16:31:44.376194 osdx ubnt-cfgd[16424]: inactive Jun 20 16:31:44.396165 osdx INFO[16432]: FRR daemons did not change Jun 20 16:31:44.416302 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 16:31:44.514935 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:44.528254 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:44.545545 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:44.685492 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 16:31:44.773409 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Jun 20 16:31:44.933674 osdx file_operation[16622]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Jun 20 16:31:44.957713 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Jun 20 16:31:45.142429 osdx OSDxCLI[2562]: User 'admin' entered the configuration menu. Jun 20 16:31:45.219802 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Jun 20 16:31:45.312039 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Jun 20 16:31:45.382614 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Jun 20 16:31:45.525036 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 20 16:31:45.621146 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Jun 20 16:31:45.726956 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Jun 20 16:31:45.787122 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Jun 20 16:31:45.903981 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Jun 20 16:31:45.957065 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Jun 20 16:31:46.061879 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Jun 20 16:31:46.191415 osdx OSDxCLI[2562]: User 'admin' added a new cfg line: 'show changes'. Jun 20 16:31:46.285789 osdx ubnt-cfgd[16649]: inactive Jun 20 16:31:46.319764 osdx INFO[16669]: FRR daemons did not change Jun 20 16:31:46.464299 osdx kernel: app-detect: module init Jun 20 16:31:46.464351 osdx kernel: app-detect: registered: sysctl net.appdetect Jun 20 16:31:46.464361 osdx kernel: app-detect: expression init Jun 20 16:31:46.464369 osdx kernel: app-detect: appid cache initialized Jun 20 16:31:46.464377 osdx kernel: app-detect: appid cache changes counter initialized Jun 20 16:31:46.825298 osdx cfgd[1463]: [2562]Completed change to active configuration Jun 20 16:31:46.827106 osdx OSDxCLI[2562]: User 'admin' committed the configuration. Jun 20 16:31:46.846352 osdx OSDxCLI[2562]: User 'admin' left the configuration menu. Jun 20 16:31:47.054247 osdx file_operation[16741]: using src url: https://www.marca.com dst url: running://index.html Jun 20 16:31:47.076298 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=30189 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.084299 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30190 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.084334 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30191 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.084343 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=2072 TOS=0x00 PREC=0x00 TTL=50 ID=30192 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.111142 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=756 TOS=0x00 PREC=0x00 TTL=50 ID=30194 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.270842 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=30195 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.327403 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30196 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.478809 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=30197 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.759469 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30198 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:47.902705 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=30199 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:48.655377 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30200 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:48.734796 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=30201 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:50.383498 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=50 ID=30202 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:50.398613 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=30203 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:52.023548 osdx file_operation.py[16741]: Operation aborted by user. Jun 20 16:31:52.040295 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=30204 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:52.040338 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:48:aa:67:0b:37:08:00 SRC=199.232.197.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=30205 DF PROTO=TCP SPT=443 DPT=46178 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Jun 20 16:31:52.040858 osdx OSDxCLI[2562]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.