Creating Applications
Adding an Application
In the Application Group window, click the content of the Applications column for the selected Application Group. You can add an application in four different ways:
| • | searching for a recognized application in the default application dictionary |
| • | adding a customized DPI (Deep Packet Inspection) application |
| • | adding a SaaS application from the SaaS dictionary |
| • | adding a customized SaaS application |
A default Application Dictionary is available for each configuration. You can also access this Dictionary through Settings -> Application Dictionary where you can also add, modify or delete recognized applications.
The system recognizes about 200 protocols (HTTP, ICMP, FTP, RTP/RTCP, H.225, SAP, Citrix, Skype, VMware, SaaS....; refer to "Application Recognition".
Note: Applications that are not recognized by appliances and not explicitly named and enabled in the Application Dictionary are implicitly grouped on the lower layer protocol (e.g. TCP or UDP).
New applications can be created, described by a protocol plus an attribute, possibly on certain subnets or hosts specifically.
Adding a customized DPI Application
| 1 | To add a Deep Packet Inspection application, click Add DPI Application and define the following parameters: |
| • | Application Name |
| • | Description |
| • | Protocol: select a protocol from the drop-down list |
| • | Application Category: this parameter is auto-populated based on the Protocol selection. |
| • | Application Group: link DPI to a specific application group profile |
| • | Attribute: depends on the protocol; this field is enabled or not and provides access to a list or free fields |
| • | for TCP or UDP - Port(s): port numbers as they appear in the Server port fields of TCP/UDP headers (either source or destination). This field can contain several ports, separated by a ; or a range of ports, separated by a -. |
| • | for HTTP - URL (www.extremenetworks.com for example) |
Do not start the URL by http://.
You can put a URL like *.extremenetworks.* (see below).
|
Syntax: |
|
|
? |
a unique character |
|
* |
any character string (included empty) |
|
% |
shortest word (non empty, separated by spaces) |
|
$ |
longest word (non empty, separated by spaces) |
|
; |
separator in a list |
|
Examples: |
|
|
www.google.fr |
any URL of the site |
|
www.google.* |
all google incarnations (.fr, .com, .de .... ) |
|
www.google.*/*.gif |
all .gif documents in any page of any google |
|
*/*.gif |
all .gif documents in any page of any server |
|
Specific cases: |
|
|
host/* |
"any" URI |
|
host/ |
empty URI |
|
*/full/uri |
"any" HOST |
|
/full/uri |
empty HOST |
| • | for HTTPS - Common Name (usually the FQDN (Fully Qualified Domain Name) of the web site; it is displayed in the Certificate) |
| • | for Citrix - Application(s): name of published applications (Word, Excel for example) when the applications are not multiplexed in the same TCP session |
| • | for RTP/RTCP - Predefined codecs: name of an audio or video codec, to be selected from a drop-down list |
Codec: name of an audio or video codec, to be written with the following syntax: audio/<audio codec name> or video/<video codec name> (for instance, to create the speex codec, enter audio/speex).
To be able to recognize the dynamic codecs (as per RTP), SIP application recognition must be enabled for SIP signalling to be decoded.
| • | for SaaS, select a SaaS application from the SaaS dictionary |
| • | for other protocols, no further information is required. |
| • | Subnet Filter: this optional parameter can be used to identify an application by the IP address of a server or client, or a list of servers or clients (up to 30). It is possible to choose the server or client from a drop-down list of User subnets, or directly: |
| • | Prefix/Length: set the subnet with the following notation X.X.X.X/Y where X.X.X.X is the IP address and Y the length integer between 0 and 32; a list of IP addresses can be configured (; separator). |
| • | Client/Server: specify if the application must be recognized on the server side or on the client side (it is recognized on the Server side by default). |
| 2 | Click Done. |
Order of recognition
When describing different applications using the same protocol (e.g. for HTTP: Intranet (= intranet.company.com), Internet corporate (= *.company.com) and Internet (= the rest of http)), place the more specific applications first (the Intranet, then Internet corporate in the example) and finally the generic one (the Internet), so that the specific ones can be recognized as such.
Adding a SaaS Application
| 1 | Click Add SaaS Application, check From Catalog and select the application(s) from the dictionary list. |
| 2 | Click Done. |
Adding a Customized SaaS Application
In addition to the SaaS dictionary, you may use a customized dictionary by creating your own SaaS applications. This additional dictionary is defined per Customer.
| 1 | Click Add SaaS Application and check Custom Application. |
| 2 | Enter the Name of the SaaS application. In the case of a duplicate name, the system informs you that this name already exists in the SaaS dictionary. |
| 3 | You may enter a detailed description of the application. |
You must declare the new SaaS application through either a FQDN or a subnet, or both of them.
| 4 | In the FQDN/Server Subnets field, enter one or several FQDN(s) and/or Server Subnet(s) separated by commas. A Fully Qualified Domain Name can be in the following format: |
| • | https://www.extremenetworks.com/products/ => FQDN is www.extremenetworks.com |
| • | https://www.google.com/analytics/ => FQDN is www.google-analytics.com |
With HTTP, the FQDN is extracted from the URL. With HTTPS, the Common Name is used.
| 5 | You can also create a Client subnet for the new SaaS application (as for other applications) by clicking Add Subnet. |
A custom SaaS application based on IP addresses will only work for server ports 443;80;3128;8080
| 6 | Click Done to validate. |
Note: you can also add applications from the Settings -> Application Dictionary window.
The ExtremeCloud SD-WAN System recognizes application flows using the opening negotiations of the client/server session conversation (SYN, SYN-ACK, ACK, i.e. layers 3 and 4 information), then it checks the syntax of the application (layer 7 information) thanks to a syntax engine to uniquely identify it without any possible error, regardless the ports being used; this also allows to classify particular applications (such as Codecs, published application names, peer-to-peer applications, URLs or URIs, etc.)
The SD-WAN Appliance engine uses DPI (deep packet inspection) to detect application signatures data patterns that uniquely identify a particular application. (Mechanisms such as this are also commonly used for virus recognition.) We are inspecting the start of the conversation (and only the start) to detect these patterns to classify the applications.
It is also possible to declare applications on the ports being used (you have defined an application as traffic on a specific port/server); in this case, it is the port number that prevails to regnosize the application.
When a SD-WAN Appliance has not observed this start of the conversation, or if the application cannot be recognized thanks to its syntax or declared port number, it falls back to RFC1700 ("well known ports" definition).
The order of recognition of applications is as follows:
| 1 | Declared Port (you have defined an application as traffic on a specific port/server) |
| 2 | Syntax engine (the SD-WAN System uses its inbuilt application detection capabilities) |
| 3 | Well known port (RFC 1700) |
Applications that are not recognized or enabled in the dictionary are implicitly grouped on their lower layer protocol (e.g. TCP or UDP).