flow session RDP dynamic application

Owned by Jean-luc KRIKER
Last updated: Oct 30, 2020
9 min read





show security flow session dynamic-application junos:RDP

10.0.0.5 is the JumpStation ( attached to  ge-0/0/6.0 ) 

10.0.1.99 the PC ( attached to ge-0/0/6.0 )

show flow session
jcluser@JCL-NGFW-99> show security flow session dynamic-application junos:RDP    
Session ID: 91269, Policy name: Permit-Trust2Trust/4, Timeout: 1798, Valid
  In: 10.0.0.5/60370 --> 10.0.1.99/3389;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 1513, Bytes: 91312, 
  Out: 10.0.1.99/3389 --> 10.0.0.5/60370;tcp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 1368, Bytes: 119825, 

Session ID: 91270, Policy name: Permit-Trust2Trust/4, Timeout: 58, Valid
  In: 10.0.0.5/58179 --> 10.0.1.99/3389;udp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 1315, Bytes: 405220, 
  Out: 10.0.1.99/3389 --> 10.0.0.5/58179;udp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 1893, Bytes: 1479872, 

Session ID: 92039, Policy name: Permit-Trust2Trust/4, Timeout: 1800, Valid
  In: 10.0.0.5/60443 --> 10.0.2.99/3389;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 630, Bytes: 37066, 
  Out: 10.0.2.99/3389 --> 10.0.0.5/60443;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 629, Bytes: 69530, 

Session ID: 92040, Policy name: Permit-Trust2Trust/4, Timeout: 60, Valid
  In: 10.0.0.5/55733 --> 10.0.2.99/3389;udp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 936, Bytes: 443400, 
  Out: 10.0.2.99/3389 --> 10.0.0.5/55733;udp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 1005, Bytes: 780477, 
Total sessions: 4

show security flow session dynamic-application junos:RDP extensive

extensive
jcluser@JCL-NGFW-99> show security flow session dynamic-application junos:RDP extensive 
Session ID: 91269, Status: Normal
Flags: 0x100040/0x0/0x6003/0x2008103
Policy name: Permit-Trust2Trust/4
Source NAT pool: Null
Dynamic application: junos:COTP, Dynamic nested application: junos:RDP
Encryption:  No
Url-category:  Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1798
Session State: Valid
Start time: 83954, Duration: 1450
   In: 10.0.0.5/60370 --> 10.0.1.99/3389;tcp, 
  Conn Tag: 0x0, Interface: ge-0/0/6.0, 
    Session token: 0x7, Flag: 0x1621
    Route: 0x120010, Gateway: 10.0.0.5, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1633, Bytes: 96112
   Out: 10.0.1.99/3389 --> 10.0.0.5/60370;tcp, 
  Conn Tag: 0x0, Interface: ge-0/0/5.0, 
    Session token: 0x7, Flag: 0x1620
    Route: 0x100010, Gateway: 10.0.1.99, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1488, Bytes: 130745

Session ID: 91270, Status: Normal
Flags: 0x100040/0x0/0x6003/0x103
Policy name: Permit-Trust2Trust/4
Source NAT pool: Null
Dynamic application: junos:RDP, Dynamic nested application: junos:UNKNOWN
Encryption:  No
Url-category:  Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 60, Current timeout: 56
Session State: Valid
Start time: 83954, Duration: 1450
   In: 10.0.0.5/58179 --> 10.0.1.99/3389;udp, 
  Conn Tag: 0x0, Interface: ge-0/0/6.0, 
    Session token: 0x7, Flag: 0x621
    Route: 0x120010, Gateway: 10.0.0.5, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1408, Bytes: 408924
   Out: 10.0.1.99/3389 --> 10.0.0.5/58179;udp, 
  Conn Tag: 0x0, Interface: ge-0/0/5.0, 
    Session token: 0x7, Flag: 0x620
    Route: 0x100010, Gateway: 10.0.1.99, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1947, Bytes: 1482547

Session ID: 92039, Status: Normal
Flags: 0x100040/0x0/0x6003/0x2008103
Policy name: Permit-Trust2Trust/4
Source NAT pool: Null                   
Dynamic application: junos:COTP, Dynamic nested application: junos:RDP
Encryption:  No
Url-category:  Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1800
Session State: Valid
Start time: 84592, Duration: 812
   In: 10.0.0.5/60443 --> 10.0.2.99/3389;tcp, 
  Conn Tag: 0x0, Interface: ge-0/0/6.0, 
    Session token: 0x7, Flag: 0x1621
    Route: 0x120010, Gateway: 10.0.0.5, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 751, Bytes: 41906
   Out: 10.0.2.99/3389 --> 10.0.0.5/60443;tcp, 
  Conn Tag: 0x0, Interface: ge-0/0/4.0, 
    Session token: 0x7, Flag: 0x1620
    Route: 0x130010, Gateway: 10.0.2.99, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 750, Bytes: 80541

Session ID: 92040, Status: Normal
Flags: 0x100040/0x0/0x6003/0x103
Policy name: Permit-Trust2Trust/4
Source NAT pool: Null
Dynamic application: junos:RDP, Dynamic nested application: junos:UNKNOWN
Encryption:  No
Url-category:  Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 60, Current timeout: 56
Session State: Valid
Start time: 84593, Duration: 811
   In: 10.0.0.5/55733 --> 10.0.2.99/3389;udp, 
  Conn Tag: 0x0, Interface: ge-0/0/6.0, 
    Session token: 0x7, Flag: 0x621
    Route: 0x120010, Gateway: 10.0.0.5, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1027, Bytes: 447050
   Out: 10.0.2.99/3389 --> 10.0.0.5/55733;udp, 
  Conn Tag: 0x0, Interface: ge-0/0/4.0, 
    Session token: 0x7, Flag: 0x620
    Route: 0x130010, Gateway: 10.0.2.99, Tunnel ID: 0, Tunnel type: None
    Port sequence: 0, FIN sequence: 0, 
    FIN state: 0, 
    Pkts: 1059, Bytes: 783143
Total sessions: 4

jcluser@JCL-NGFW-99>

show services application-identification application summary | match RDP

RDP
jcluser@JCL-NGFW-99> show services application-identification  application summary | match RDP                   
  junos:NRDP                                    No               2695    5      
  junos:WORDPRESS                               No               297     5      
  junos:IPP-RDP                                 No               717     1      
  junos:RDP                                     No               159     1

show services application-identification application detail | find junos:RDP

RDP
jcluser@JCL-NGFW-99> show services application-identification  application detail | find junos:RDP                        
Application Name: junos:RDP                                                  
Application type: RDP                                                        
Description: This signature detects Microsoft Remote Desktop (RDP) traffic. RDP is a remote
             administration tool.
Application ID: 159    
Priority: high   
Order: 0
 
Disabled: No                
Cacheable: Yes 
Activation Date: 2003-05-05     
Last Modified: 2017-06-28     
Number of Parent Group(s): 1      
Application Groups:
    junos:remote-access:interactive-desktop     
Application Tags:
    layer                 : 4                                                
    characteristic        : Prone to Misuse                                  
    characteristic        : Bandwidth Consumer                               
    risk                  : 4                                                
    subcategory           : Interactive-Desktop                              
    category              : Remote-Access                                    
Underlying consolidated Protocols/ports application is dependent on:
    Protocols:
        Protocol: junos:UDP   / 216       
        Protocol: junos:SSL   / 199       
        Protocol: junos:TCP   / 205       
        Protocol: junos:SPDY  / 1469      
        Protocol: junos:LIBJINGLE-PSEUDOTCP / 3237      
        Protocol: junos:STUN  / 201       
        Protocol: junos:HTTPS / 68        
        Protocol: junos:HTTP  / 67        
        Protocol: junos:NET-PROXY / 2629      
        Protocol: junos:HTTP2 / 2553      
        Protocol: junos:HTTP-TUNNEL / 750       
        Protocol: junos:HTTP-PROXY / 2956      
        Protocol: junos:HAPROXY / 3331      
        Protocol: junos:COTP  / 22        
        Protocol: junos:MCS   / 112       
        Protocol: junos:CAPWAP / 1289      
    TCP Ports:
        Port: 3389       
Layer-7 Immediate Protocol(s):
    Protocol: UDP         / 216       
    Protocol: SSL         / 199       
    Protocol: MCS         / 112       
    Protocol: COTP        / 22        
Application Specific Ports:
    Default ports: TCP/3389
Signature:
    Port range: N/A                    
    Client-to-server
    Order: 1