How To Guides > Application List > Configure Application Objects

Add a new Application

Application objects are used to classify traffic on the network and are made up of layer 7 signatures, TCP/UDP port numbers and port ranges, protocols, network objects, or DSCP marks. Application classification can be used to monitor traffic or to create application-specific policy. There are many predefined applications on the appliance. You can add applications that are not already in the list.

Applications can be created from L7 signatures, or TCP/UDP port numbers or ranges, or protocols, or DSCP marks, or network objects, or various combinations of these. The following are valid combinations:

Applications based on only L7 signatures. For example, you can create an application for a particular website by selecting http, host, and entering the domain of the website.
Applications based on only port numbers.For example, HTTPS is defined as tcp port 443.
Applications based on L7 signatures can be augmented by matching port numbers or ranges as well. For example, HTTP is defined as matching the L7 signature 'http' or TCP port 80. Note that the L7 signature and port are OR'ed.
Applications based on protocol. For example, the predefined VRRP application is based on the vrrp protocol.
Applications based on L7 signatures can be augmented by matching a protocol as well. For example, the ICMP app is defined as matching the L7 signature icmp or the protocol icmp. Note that the L7 signature and protocol are OR'ed.
Applications based on DSCP marks. For example, on your Riverbed appliance mark your CIFS traffic with a particular DSCP mark, then define an application using that DSCP mark to identify CIFS within a Riverbed-accelerated stream.
Applications based on only network object. For example, you could define an application based on a particular application server, particular site, or particular user or user group (specified by network object).
DSCP marks can be used in combination with network object, port, or protocol to refine the traffic for a given application. Note that DSCP mark + network object, or DSCP mark + port, or DSCP mark + protocol are AND'ed.
Network objects can be used in combination with DSCP marks, port, or protocol to refine the traffic for a given application. Note that network object + DSCP mark, or network object + port, or network object + protocol are AND'ed.
Application based on DSCP mark + network object + port. Not that DSCP mark + network object + port are all AND'ed.

Network objects cannot be used in conjunction with a layer 7 signature.

	Note: When creating applications based on ports, any given port number can only be defined once for TCP and once for UDP. The same port number can be defined for TCP and UDP. For example, if you define an application object with a port range TCP 500-510, you cannot then define another application object on TCP port 505. However, you can define another application object with UDP port 505. You can define duplicate ports/port ranges if a network object is also specified.

Note: When creating applications based on ports, any given port number can only be defined once for TCP and once for UDP. The same port number can be defined for TCP and UDP. For example, if you define an application object with a port range TCP 500-510, you cannot then define another application object on TCP port 505. However, you can define another application object with UDP port 505.

You can define duplicate ports/port ranges if a network object is also specified.

Many of the L7 signatures have sub-type classifications, which makes layer 7 visibility much more granular. For instance, for reporting on specific web applications, most vendors can only report on port 80 traffic. Exinda allows a deeper look into Layer 7 applications. For example, by comparison:

Layer 4 reporting tools report on web applications as: port 80 or HTTP
Layer 7 reporting tools report on web applications as: Yahoo or Skype
Exindas Layer 7 with sub-type classification report on web applications as: Yahoo video, Yahoo voice, or Yahoo webchat.

This allows you to monitor on a much more granular level.

To add a new application

In the Add New Application area, enter a name for the new application.
Define an application to be based on one of the following:
- L7 signature
- L7 signature + ports or protocols (OR'ed together)
- Network object
- DSCP mark
- Port or protocols
- Network object + ports or protocols (AND'ed together)
- Network object + DSCP mark (AND'ed together)
- DSCP mark + ports or protocols (AND'ed together)
- Network object + DSCP mark + ports or protocols (AND'ed together)
Note that network objects cannot be used in conjunction with a layer 7 signature.
Select the Network Object for the application.

If the network object is internal, then traffic inbound to the LAN with the network object as a destination will be matched to this application, and traffic outbound from the LAN with the network object as the source will be matched to this application.

If the network object is external, then traffic inbound to the LAN with the network object as a source will be matched to this application, and traffic outbound from the LAN with the network object as the destination will be matched to this application.
Select the DSCP mark for the application.

Multiple DSCP marks or DSCP mark ranges can be used by specifying a range using a dash (e.g. 1-20) and by using commas (e.g. 1-20,44,63)
Select the L7 Signature for the application.

Some layer 7 signatures have additional options that allow you to define application objects based on specific parts of that L7 signature. If a layer 7 signature is selected, specify the parameters for the signature.

For example, to create an application object that matches traffic to and from the Exinda.com website, in the L7 Signature field, select http --->, host, and type exinda.com.
In the Ports/Protocols controls, specify either TCP ports/port ranges, UDP ports/port ranges, or a layer 3 protocol.

Multiple ports and port ranges can be specified at the same time by comma separating values.
Click the Add New Application button.

What L7 signature options are there?

Some Layer 7 signatures have additional options that allow you to define application objects based on specific parts of that L7 Signature. When configuring new application object, the L7 signatures followed by '--->' in the drop-list have additional options. Most provide options that you simply select from. Some require a selection plus additional information. The following table explains the various options that require more than simply picking an option.

Layer 7 Signature SubType Description

citrix

application

Allows you to define an Application Object based on a published Citrix application name.

priority

Allows you to define an Application Object based on a published Citrix priority. Citrix priorities are 0=High, 1=Medium, 2=Low, 3=Background.

The Citrix priority detection will only work if Citrix is running without session-reliability, over TCP port 1494.

user

Allows you to define an Application Object based on the user running the Citrix published application.

ddl (direct download link) host Allows you to define an Application Object based on the 'host' field in the HTTP header.

flash

host

Allows you to define an Application Object based on the 'host' field in the HTTP header (where flash is running over http).

http

content_type

Allows you to define an Application Object based on the 'content-type' field in the HTTP header.

file

Allows you to define an Application Object based on the filename requested in the HTTP URL.

host

Allows you to define an Application Object based on the 'host' field in the HTTP header.

method

Allows you to define an Application Object based on the HTTP method (e.g. GET PUT HEAD DELETE).

user_agent

Allows you to define an Application Object based on the 'user-agent' field in the HTTP header.

advanced

Define custom criteria with the following syntax:

A string literal is enclosed in quotes (").
Internal quotes can be escaped with the backslash (\") character.
A backslash can be included in the string by escaping it with another backslash (\\).
Keywords are bare (common_name) with no quotes.
Keywords are bare (host) with no quotes.
Grouping is supporting using parenthesis
Operators supported are or and and

and has higher precedence than or

The comparison operators that are available are:

Description	Syntax	Example
equals	<keyword> = <value>	host = "example.com"
does not equal	<keyword> != <value>	host != "example.com"
contains substring	<keyword> =% <value>	host =% "example.com"
does not contain substring	<keyword> !% <value>	host !% "example.com"
Right side is a regular expression and it matches the full left side	<keyword> =~ <value>	host =~ "example.*"
Right side is a regular expression and it does not match the full left side	<keyword> !~ <value>	host !~ "example.*"

Regular expressions use the perl syntax
The keywords for HTTP are: host, file, user_agent, content_type, method, content_len and encoding

Examples:

(url =% "index" or file =% "login") and host =% "example.org" and content_type.case = "MyContentType"
(host =% "facebook.com" and file !% "cgi-bin/abcd") or host =% "facebook2.com"

mpeg host Allows you to define an Application Object based on the 'host' field in the HTTP header (where mpeg is running over http).

quicktime host Allows you to define an Application Object based on the 'host' field in the HTTP header (where quicktime is running over http).

silverlight host Allows you to define an Application Object based on the 'host' field in the HTTP header (where silverlight is running over http).

ssl

common_name

Allows you to define an Application Object based on the 'common name' field in the SSL certificate.

advanced

Define custom criteria with the following syntax:

A string literal is enclosed in quotes (").
Internal quotes can be escaped with the backslash (\") character.
A backslash can be included in the string by escaping it with another backslash (\\).
Keywords are bare (common_name) with no quotes.
Grouping is supporting using parenthesis
Operators supported are or and and

and has higher precedence than or
The keywords for SSL are common_name (cn) and organization_name (o)

The comparison operators that are available are:

Description	Syntax	Example
equals	<keyword> = <value>	common_name = "John"
does not equal	<keyword> != <value>	common_name != "John"
contains substring	<keyword> =% <value>	common_name =% "John"
does not contain substring	<keyword> !% <value>	common_name !% "John"
Right side is a regular expression and it matches the full left side	<keyword> =~ <value>	common_name =~ "John*"
Right side is a regular expression and it does not match the full left side	<keyword> !~ <value>	common_name !~ "John*"

Regular expressions use the perl syntax

organization_name Allows you to define an Application Object based on the 'organization' name field in the SSL certificate.

spdy This field should remain empty as any values typed here are ignored.

rtp

codec

Allows you to define an Application Object based on the 'codec' used in a RTP stream.

windowsmedia

host

Allows you to define an Application Object based on the 'host' field in the HTTP header (where windowsmedia is running over http).