Thunder CFW offers Gi LAN services consolidation to combine L4–L7 functions, including CGNAT, stateful firewall, and application visibility to integrate greater efficiencies on the Gi LAN.
In this article, we will look at how you can configure Thunder CFW for application-level visibility.
First, make sure you have the add-on license for application visibility on the Thunder device:
CFW-GIFW#sh license-info
------------------------------------------------------------------------------------
Enabled Licenses Expiry Date (UTC) Notes
------------------------------------------------------------------------------------
QOSMOS 27-November-2021
Then configure the Thunder device to download application protocol signatures:
To enable application-level visibility for the traffic, configure a firewall rule-set with the command “track-application” under a firewall rule:
visibility
monitor traffic service
mon-topk sources
!
ip dns primary 8.8.4.4
!
ip dns secondary 9.9.9.9
!
partition P1 id 1 application-type cgnv6
!
hostname CFW-GIFW
!
timezone America/Los_Angeles
!
ntp server pool.ntp.org
!
glm use-mgmt-port
glm enable-requests
!
interface management
ip address <thunder-mgmt-ip>
ip default-gateway <default gateway>
enable
!
zone Private
interface ethernet 1
!
zone Public
interface ethernet 2
!
automatic-update use-mgmt-port
!
automatic-update app-fw schedule daily 8:0
!
acos-events logdb enable-cgn
!
logging syslog information
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
!
rule-set FWPOLICY1
rule deny-tcp
action deny log
source ipv4-address any
source zone any
dest ipv4-address 11.1.1.0/24
dest zone any
service tcp
application any
rule deny-icmp
action deny log
source ipv4-address any
source zone any
dest ipv4-address 11.1.1.0/24
dest zone any
service icmp
application any
rule deny-udp
source ipv4-address any
source zone any
dest ipv4-address 11.1.1.0/24
dest zone any
service udp
application any
rule reset-hosts
action reset log
source ipv4-address any
source zone any
dest ipv4-address 12.1.1.0/24
dest zone any
service any
application any
rule 100.64.10.0
action permit forward log
source ipv4-address 100.64.10.0/24
source zone any
dest ipv4-address any
dest zone any
service any
application any
track-application
rule 100.64.12.0
action permit forward log
source ipv4-address 100.64.12.0/24
source zone any
dest ipv4-address any
dest zone any
service any
application any
track-application
rule cgn
action permit cgnv6 log
source ipv4-address any
source zone Private
dest ipv4-address any
dest zone Public
service any
application any
track-application
!
fw local-logging
!
fw server FW-LOG 100.64.14.253
port 514 udp
!
fw service-group SG-FW-LOG udp
member FW-LOG 514
!
fw template logging FW-LOG-TEMPLATE
service-group SG-FW-LOG
!
fw logging FW-LOG-TEMPLATE
!
fw active-rule-set FWPOLICY1
Note that “track-application” has been configured under permit rules but not under deny rules. If you try to do so, you will see the following configuration guideline:
CFW-GIFW(config-rule set:FWPOLICY1-rule:deny-...)#track-application
ERROR: track-application can't be set if no application criteria and action is not PERMIT
To view application analytics on the Thunder CFW GUI, navigate to:
Security > Firewall > Dashboard:
Note: By default, local log for the firewall is disabled.
Use the following command to enable local log as shown in the above config:
fw local-logging
This command is required if you want to view application analytics on the Thunder CFW web GUI.