App Id
The following scenario shows how to filter packets based on app-id using traffic selectors.
Match Traffic by an engine dictionary
Description
This example illustrates how to match all traffic in an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 app-id engine 128
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.225 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.225/0.225/0.225/0.000 ms
Step 3: Ping IP address www.google.com from DUT0:
admin@DUT0$ ping www.google.com count 1 size 56 timeout 1Show output
PING www.google.com (142.250.179.132) 56(84) bytes of data. 64 bytes from ams17s10-in-f4.1e100.net (142.250.179.132): icmp_seq=1 ttl=107 time=31.6 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.592/31.592/31.592/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 2528k 0 --:--:-- --:--:-- --:--:-- 2560k
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host
Step 6: Run command file copy https://www.google.com running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 17934 0 17934 0 0 91051 0 --:--:-- --:--:-- --:--:-- 91035
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:6 ssl-host:www.google.com\]Show output
Sep 05 12:16:26.303510 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 12:16:26.306884 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 12:16:26.306936 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 12:16:26.314469 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal clear'. Sep 05 12:16:26.520836 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 12:16:26.755429 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:26.815289 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Sep 05 12:16:26.913702 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Sep 05 12:16:26.966922 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Sep 05 12:16:27.066936 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Sep 05 12:16:27.121388 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Sep 05 12:16:27.221499 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 12:16:27.279563 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Sep 05 12:16:27.391098 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 12:16:27.472831 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show working'. Sep 05 12:16:27.568641 osdx ubnt-cfgd[385181]: inactive Sep 05 12:16:27.606340 osdx INFO[385203]: FRR daemons did not change Sep 05 12:16:27.626889 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Sep 05 12:16:27.899745 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:27.910761 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:27.927705 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:28.067997 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Sep 05 12:16:28.178689 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Sep 05 12:16:28.304931 osdx file_operation[385413]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Sep 05 12:16:28.351736 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Sep 05 12:16:28.501615 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:28.570942 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Sep 05 12:16:28.678805 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Sep 05 12:16:28.783510 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Sep 05 12:16:28.863056 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show changes'. Sep 05 12:16:28.963153 osdx ubnt-cfgd[385430]: inactive Sep 05 12:16:29.029594 osdx INFO[385436]: FRR daemons did not change Sep 05 12:16:29.182911 osdx kernel: app-detect: module init Sep 05 12:16:29.183030 osdx kernel: app-detect: registered: sysctl net.appdetect Sep 05 12:16:29.183065 osdx kernel: app-detect: expression init Sep 05 12:16:29.183098 osdx kernel: app-detect: appid cache initialized Sep 05 12:16:29.183139 osdx kernel: app-detect: appid cache changes counter initialized Sep 05 12:16:29.391299 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:29.392966 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:29.408668 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:29.614123 osdx file_operation[385489]: using src url: https://www.google.com dst url: running://index.html Sep 05 12:16:29.700714 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60271 PROTO=TCP SPT=443 DPT=37988 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703434 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60272 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703529 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60273 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703559 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=113 ID=60274 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762859 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60275 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762937 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=60276 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762956 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=60277 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.802274 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=60278 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806882 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=112 ID=60279 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60280 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806923 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60281 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806931 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60282 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60283 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806953 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60284 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806961 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60285 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806969 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60286 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806977 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60287 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810879 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60288 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810893 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60289 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810904 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60290 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810916 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60291 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.811559 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60292 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.811570 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=182 TOS=0x00 PREC=0x00 TTL=112 ID=60293 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.832463 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Sep 05 12:16:29.850894 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=60294 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com]
Step 8: Run command file copy http://10.215.168.1/~robot/ running://index.html force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4703 0 4703 0 0 687k 0 --:--:-- --:--:-- --:--:-- 765k
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*ACCEPT.*APPDETECT\[U:30 http-host:10.215.168.1\]Show output
Sep 05 12:16:26.303510 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 12:16:26.306884 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 12:16:26.306936 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 12:16:26.314469 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal clear'. Sep 05 12:16:26.520836 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 12:16:26.755429 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:26.815289 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Sep 05 12:16:26.913702 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Sep 05 12:16:26.966922 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Sep 05 12:16:27.066936 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id engine 128'. Sep 05 12:16:27.121388 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Sep 05 12:16:27.221499 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 12:16:27.279563 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Sep 05 12:16:27.391098 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 12:16:27.472831 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show working'. Sep 05 12:16:27.568641 osdx ubnt-cfgd[385181]: inactive Sep 05 12:16:27.606340 osdx INFO[385203]: FRR daemons did not change Sep 05 12:16:27.626889 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Sep 05 12:16:27.899745 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:27.910761 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:27.927705 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:28.067997 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Sep 05 12:16:28.178689 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.google.com count 1 size 56 timeout 1'. Sep 05 12:16:28.304931 osdx file_operation[385413]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Sep 05 12:16:28.351736 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Sep 05 12:16:28.501615 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:28.570942 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Sep 05 12:16:28.678805 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Sep 05 12:16:28.783510 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Sep 05 12:16:28.863056 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show changes'. Sep 05 12:16:28.963153 osdx ubnt-cfgd[385430]: inactive Sep 05 12:16:29.029594 osdx INFO[385436]: FRR daemons did not change Sep 05 12:16:29.182911 osdx kernel: app-detect: module init Sep 05 12:16:29.183030 osdx kernel: app-detect: registered: sysctl net.appdetect Sep 05 12:16:29.183065 osdx kernel: app-detect: expression init Sep 05 12:16:29.183098 osdx kernel: app-detect: appid cache initialized Sep 05 12:16:29.183139 osdx kernel: app-detect: appid cache changes counter initialized Sep 05 12:16:29.391299 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:29.392966 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:29.408668 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:29.614123 osdx file_operation[385489]: using src url: https://www.google.com dst url: running://index.html Sep 05 12:16:29.700714 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60271 PROTO=TCP SPT=443 DPT=37988 WINDOW=1048 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703434 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60272 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703529 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=113 ID=60273 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.703559 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=113 ID=60274 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762859 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=60275 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762937 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=700 TOS=0x00 PREC=0x00 TTL=113 ID=60276 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.762956 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=83 TOS=0x00 PREC=0x00 TTL=112 ID=60277 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.802274 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=60278 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806882 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1040 TOS=0x00 PREC=0x00 TTL=112 ID=60279 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806914 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60280 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806923 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60281 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806931 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60282 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806939 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60283 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806953 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60284 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806961 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60285 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806969 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60286 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.806977 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60287 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810879 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60288 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810893 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60289 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810904 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60290 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.810916 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60291 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.811559 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=1452 TOS=0x00 PREC=0x00 TTL=112 ID=60292 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.811570 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=182 TOS=0x00 PREC=0x00 TTL=112 ID=60293 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK PSH URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.832463 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy https://www.google.com running://index.html force'. Sep 05 12:16:29.850894 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=142.250.179.132 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=60294 PROTO=TCP SPT=443 DPT=37988 WINDOW=1050 RES=0x00 ACK FIN URGP=0 APPDETECT[U:6 ssl-host:www.google.com] Sep 05 12:16:29.952390 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal show | cat'. Sep 05 12:16:30.153882 osdx file_operation[385511]: using src url: http://10.215.168.1/~robot/ dst url: running://index.html Sep 05 12:16:30.162906 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=37986 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.162941 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=37987 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.162951 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=37988 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.162959 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=37989 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.162968 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=579 TOS=0x00 PREC=0x00 TTL=64 ID=37990 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK PSH URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.166880 osdx kernel: [POL-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=10.215.168.1 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=37991 DF PROTO=TCP SPT=80 DPT=49744 WINDOW=508 RES=0x00 ACK FIN URGP=0 APPDETECT[U:30 http-host:10.215.168.1] Sep 05 12:16:30.182707 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/ running://index.html force'.
Drop Traffic not in a custom dictionary
Description
This example illustrates how to drop all traffic that does not belong to a custom dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1 set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id custom -1
Step 2: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.193.50) 56(84) bytes of data. 64 bytes from 199.232.193.50 (199.232.193.50): icmp_seq=1 ttl=51 time=32.6 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 32.574/32.574/32.574/0.000 ms
Step 3: Ping IP address www.facebook.es from DUT0:
admin@DUT0$ ping www.facebook.es count 1 size 56 timeout 1Show output
PING star-mini.c10r.facebook.com (157.240.201.35) 56(84) bytes of data. 64 bytes from edge-star-mini-shv-01-ams4.facebook.com (157.240.201.35): icmp_seq=1 ttl=45 time=35.4 ms --- star-mini.c10r.facebook.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 35.426/35.426/35.426/0.000 ms
Step 4: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Sep 05 12:16:35.286975 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 12:16:35.288206 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 12:16:35.288255 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 12:16:35.296305 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal clear'. Sep 05 12:16:35.503063 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 12:16:35.727813 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:35.790297 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Sep 05 12:16:35.889724 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Sep 05 12:16:35.947565 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Sep 05 12:16:36.050722 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Sep 05 12:16:36.118037 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Sep 05 12:16:36.228777 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Sep 05 12:16:36.290558 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Sep 05 12:16:36.396131 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Sep 05 12:16:36.457446 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Sep 05 12:16:36.547735 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Sep 05 12:16:36.607407 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 12:16:36.705273 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Sep 05 12:16:36.780491 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 12:16:36.880795 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show working'. Sep 05 12:16:36.977447 osdx ubnt-cfgd[385790]: inactive Sep 05 12:16:37.012416 osdx INFO[385812]: FRR daemons did not change Sep 05 12:16:37.164218 osdx kernel: app-detect: module init Sep 05 12:16:37.164280 osdx kernel: app-detect: registered: sysctl net.appdetect Sep 05 12:16:37.164290 osdx kernel: app-detect: expression init Sep 05 12:16:37.164298 osdx kernel: app-detect: appid cache initialized Sep 05 12:16:37.164314 osdx kernel: app-detect: appid cache changes counter initialized Sep 05 12:16:37.204211 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Sep 05 12:16:37.509164 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:37.520567 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:37.541178 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:37.848299 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Sep 05 12:16:38.105192 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.facebook.es count 1 size 56 timeout 1'. Sep 05 12:16:38.244896 osdx file_operation[386053]: using src url: https://www.marca.com dst url: running://index.html Sep 05 12:16:38.288221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=28933 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288276 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28934 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28935 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288301 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28936 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.292203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=28937 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.356315 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=28938 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.487108 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28939 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.596375 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28940 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.706959 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28941 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:39.068370 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28942 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:39.143012 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28943 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:40.039099 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28944 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:40.060338 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28945 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:41.799013 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28946 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:41.982879 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=28947 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.264907 osdx file_operation.py[386053]: Operation aborted by user. Sep 05 12:16:43.280211 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=28948 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.280253 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=28949 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.280722 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'.
Step 5: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:80 http-host:www.facebook.es\]Show output
Sep 05 12:16:35.286975 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 12:16:35.288206 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 12:16:35.288255 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 12:16:35.296305 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal clear'. Sep 05 12:16:35.503063 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 12:16:35.727813 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:35.790297 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Sep 05 12:16:35.889724 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Sep 05 12:16:35.947565 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Sep 05 12:16:36.050722 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Sep 05 12:16:36.118037 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id custom -1'. Sep 05 12:16:36.228777 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Sep 05 12:16:36.290558 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 33 fqdn google'. Sep 05 12:16:36.396131 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 custom app-id 34 fqdn 10.215.168.1'. Sep 05 12:16:36.457446 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Sep 05 12:16:36.547735 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Sep 05 12:16:36.607407 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 12:16:36.705273 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Sep 05 12:16:36.780491 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 12:16:36.880795 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show working'. Sep 05 12:16:36.977447 osdx ubnt-cfgd[385790]: inactive Sep 05 12:16:37.012416 osdx INFO[385812]: FRR daemons did not change Sep 05 12:16:37.164218 osdx kernel: app-detect: module init Sep 05 12:16:37.164280 osdx kernel: app-detect: registered: sysctl net.appdetect Sep 05 12:16:37.164290 osdx kernel: app-detect: expression init Sep 05 12:16:37.164298 osdx kernel: app-detect: appid cache initialized Sep 05 12:16:37.164314 osdx kernel: app-detect: appid cache changes counter initialized Sep 05 12:16:37.204211 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Sep 05 12:16:37.509164 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:37.520567 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:37.541178 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:37.848299 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Sep 05 12:16:38.105192 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.facebook.es count 1 size 56 timeout 1'. Sep 05 12:16:38.244896 osdx file_operation[386053]: using src url: https://www.marca.com dst url: running://index.html Sep 05 12:16:38.288221 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=28933 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288276 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28934 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288292 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28935 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.288301 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28936 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.292203 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=28937 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.356315 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=52 ID=28938 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.487108 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28939 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.596375 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28940 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:38.706959 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28941 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:39.068370 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28942 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:39.143012 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28943 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:40.039099 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28944 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:40.060338 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=52 ID=28945 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:41.799013 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=28946 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:41.982879 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=28947 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.264907 osdx file_operation.py[386053]: Operation aborted by user. Sep 05 12:16:43.280211 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=28948 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.280253 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=28949 DF PROTO=TCP SPT=443 DPT=49254 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:43.280722 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Sep 05 12:16:43.496918 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal show | cat'. Sep 05 12:16:43.682725 osdx file_operation[386073]: using src url: http://www.facebook.es dst url: running://index.html Sep 05 12:16:43.760227 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=36002 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:43.867843 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36003 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:43.994231 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=36004 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:44.141076 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36005 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:44.359539 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=36006 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:44.489874 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36007 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:44.964842 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=36008 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:45.049391 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36009 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:45.826132 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=36010 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:45.828025 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36011 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:47.590351 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=36012 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:47.713730 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=484 TOS=0x00 PREC=0x00 TTL=45 ID=36013 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:80 http-host:www.facebook.es] Sep 05 12:16:48.636492 osdx file_operation.py[386073]: Operation aborted by user. Sep 05 12:16:48.654189 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy http://www.facebook.es running://index.html force'. Sep 05 12:16:48.684226 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=157.240.201.35 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=36014 DF PROTO=TCP SPT=80 DPT=38300 WINDOW=261 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:80 http-host:www.facebook.es]
Drop Traffic not in an engine dictionary
Description
This example illustrates how to drop all traffic that does not belong to an engine dictionary
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns resolver name-server 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.188 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.188/0.188/0.188/0.000 ms
Step 3: Ping IP address www.marca.com from DUT0:
admin@DUT0$ ping www.marca.com count 1 size 56 timeout 1Show output
PING unidadeditorial.map.fastly.net (199.232.197.50) 56(84) bytes of data. 64 bytes from 199.232.197.50 (199.232.197.50): icmp_seq=1 ttl=52 time=6.51 ms --- unidadeditorial.map.fastly.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 6.512/6.512/6.512/0.000 ms
Step 4: Run command file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68181 100 68181 0 0 12.2M 0 --:--:-- --:--:-- --:--:-- 13.0M
Step 5: Modify the following configuration lines in DUT0 :
set system conntrack app-detect dictionary 1 filename 'running://test_dict.gz' set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system traffic policy in POL set traffic policy POL rule 1 action drop set traffic policy POL rule 1 log app-id set traffic policy POL rule 1 selector SEL set traffic selector SEL rule 1 app-id detected set traffic selector SEL rule 1 not app-id engine 128
Step 6: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
osdx kernel:.*DROP.*APPDETECT\[L4:443 ssl-host:www.marca.com\]Show output
Sep 05 12:16:53.317679 osdx systemd-journald[1764]: Runtime Journal (/run/log/journal/8e652e5518b84f0bb5a60f6ad502329f) is 1.8M, max 13.8M, 11.9M free. Sep 05 12:16:53.319006 osdx systemd-journald[1764]: Received client request to rotate journal, rotating. Sep 05 12:16:53.319051 osdx systemd-journald[1764]: Vacuuming done, freed 0B of archived journals from /run/log/journal/8e652e5518b84f0bb5a60f6ad502329f. Sep 05 12:16:53.327214 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system journal clear'. Sep 05 12:16:53.546438 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'system coredump delete all'. Sep 05 12:16:53.800393 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:53.877174 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Sep 05 12:16:53.978606 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set service dns resolver name-server 10.215.168.1'. Sep 05 12:16:54.050075 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Sep 05 12:16:54.147893 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show working'. Sep 05 12:16:54.221616 osdx ubnt-cfgd[386334]: inactive Sep 05 12:16:54.242669 osdx INFO[386342]: FRR daemons did not change Sep 05 12:16:54.307047 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Sep 05 12:16:54.421524 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:54.432988 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:54.450819 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:54.600052 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Sep 05 12:16:54.754035 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'ping www.marca.com count 1 size 56 timeout 1'. Sep 05 12:16:54.895499 osdx file_operation[386532]: using src url: http://10.215.168.1/~robot/test_dict.gz dst url: running://test_dict.gz Sep 05 12:16:54.920059 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test_dict.gz running://test_dict.gz force'. Sep 05 12:16:55.081381 osdx OSDxCLI[308268]: User 'admin' entered the configuration menu. Sep 05 12:16:55.140920 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system traffic policy in POL'. Sep 05 12:16:55.238029 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 selector SEL'. Sep 05 12:16:55.336233 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 log app-id'. Sep 05 12:16:55.394150 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Sep 05 12:16:55.495089 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic policy POL rule 1 action drop'. Sep 05 12:16:55.561838 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 not app-id engine 128'. Sep 05 12:16:55.660658 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set traffic selector SEL rule 1 app-id detected'. Sep 05 12:16:55.720684 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect dictionary 1 filename running://test_dict.gz'. Sep 05 12:16:55.817106 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect http-host'. Sep 05 12:16:55.874925 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'set system conntrack app-detect ssl-host'. Sep 05 12:16:55.995844 osdx OSDxCLI[308268]: User 'admin' added a new cfg line: 'show changes'. Sep 05 12:16:56.061364 osdx ubnt-cfgd[386559]: inactive Sep 05 12:16:56.103847 osdx INFO[386579]: FRR daemons did not change Sep 05 12:16:56.255012 osdx kernel: app-detect: module init Sep 05 12:16:56.255080 osdx kernel: app-detect: registered: sysctl net.appdetect Sep 05 12:16:56.255093 osdx kernel: app-detect: expression init Sep 05 12:16:56.255105 osdx kernel: app-detect: appid cache initialized Sep 05 12:16:56.255117 osdx kernel: app-detect: appid cache changes counter initialized Sep 05 12:16:56.631779 osdx cfgd[1461]: [308268]Completed change to active configuration Sep 05 12:16:56.633862 osdx OSDxCLI[308268]: User 'admin' committed the configuration. Sep 05 12:16:56.653912 osdx OSDxCLI[308268]: User 'admin' left the configuration menu. Sep 05 12:16:56.853210 osdx file_operation[386651]: using src url: https://www.marca.com dst url: running://index.html Sep 05 12:16:56.879010 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=7126 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:56.883008 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7127 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:56.883036 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7128 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:56.883045 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7129 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:56.883054 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=7130 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:56.919016 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1105 TOS=0x00 PREC=0x00 TTL=51 ID=7131 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK PSH URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:57.069454 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=7132 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:57.138868 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7133 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:57.277559 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=7134 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:57.598835 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7135 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:57.718463 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=7136 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:58.484790 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=51 ID=7137 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:16:58.549445 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=7138 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:17:00.213428 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=7139 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:17:00.249611 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=1368 TOS=0x00 PREC=0x00 TTL=49 ID=7140 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:17:01.832956 osdx file_operation.py[386651]: Operation aborted by user. Sep 05 12:17:01.850516 osdx OSDxCLI[308268]: User 'admin' executed a new command: 'file copy https://www.marca.com running://index.html force'. Sep 05 12:17:01.867021 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=7141 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com] Sep 05 12:17:01.867108 osdx kernel: [POL-1] DROP IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:fe:6d:35:23:ed:94:08:00 SRC=199.232.193.50 DST=10.215.168.64 LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=7142 DF PROTO=TCP SPT=443 DPT=47554 WINDOW=260 RES=0x00 ACK FIN URGP=0 APPDETECT[L4:443 ssl-host:www.marca.com]