Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

ALG Configuration Page Options

 
  1. Select Configure>Security>ALG.

    The ALG configuration page appears. Table 243 explains the contents of this page.

  2. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Reset—Resets your entries and returns to the main configuration page.

Table 243: ALG Configuration Options

Field

Function

Action

Main

Enable TFTP

Provides an ALG for Trivial File Transfer Protocol. The TFTP ALG processes TFTP packets that initiate a request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

Select the check box to enable the ALG.

Enable PPTP

Provides an ALG for Point-to-Point Tunneling Protocol. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building VPNs.

Select the check box to enable the ALG.

   

Enable RSH

Provides an ALG for the remote shell. The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Select the check box to enable the ALG.

Enable RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Select the check box to enable the ALG.

Enable SQL

Provides an ALG for Structured Query Language. The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for the (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Select the check box to enable the ALG.

Enable TALK

Provides an ALG for the TALK protocol. The TALK protocol uses UDP port 517 and port 518 for control-channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Select the check box to enable the ALG.

DNS

Enable DNS

Provides an ALG for the domain name system. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.

Select the check box to enable the ALG.

Doctoring

Specifies the sanity check.

Select the check box to enable the option.

Maximum Message length

Specifies the maximum message length.

Select a number from Size is (512-8192 bytes).

Enable Oversize message drop.

Specify to enable the oversize message drop.

Select the check box.

FTP

Enable FTP

Provides an ALG for File Transfer Protocol. The FTP ALG monitors PORT, PASV, and 227 commands. It performs Network Address Translation (NAT) on IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when it detects an FTP STOR or FTP RETR command.

Select the check box to enable the ALG.

Enable allow mismatch IP address

Allows any mismatch in IP address.

Select the check box to enable.

Enable FTP Extension

Enables the file extension.

Select the checkbox to enable File extension.

Enable line Break Extension

Enables the line break extension.

Select the checkbox to enable this option.

H323

Enable H323 ALG

Enables or disables the H.323 ALG.

Select the check box.

Application Screen

Message Flood Gatekeeper Threshold

Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter a value. The value range is 1 to 50000 messages per second.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified H.323 (unsupported) messages are handled by the device. The default is to drop unknown messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

DSCP Code Rewrite

Code Point

Specifies a rewrite-rule for the traffic that passes through a voice over IP Application Layer Gateway (VoIP ALG). The value of code point is in binary format.

The VoIP rewrite rules modifies the appropriate class of service (CoS) bits in an outgoing packets through Differentiated Services Code Point (DSCP) mechanism that improves the VoIP quality in a congested network.

Select a 6-bit string from the dropdown list.

Endpoints

Timeout For Endpoint

Controls the duration of the entries in the NAT table.

Enter a value with a range 10 to 65535 seconds.

Enable Permit Media From Any Source Port

Allows media traffic from any port number. By default, this feature is disabled. When enabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Enter a value from 1 through 50,000 seconds.

 

IKE-ESP

Enable IKE-ESP

Enables the IKE-ESP option.

Select the checkbox to enable IKE-ESP.

ESP Gate Timeout

Specifies the ESP gate timeout.

Select the gate timeout from 2 to 30 secs.

ESP Session Timeout(sec)

Specifies the ESP session time out.

Select the timeout session from 60 to 2400 sec.

ALG State Timeout(Sec)

Specifies the ALG state time out.

Select the ALG state time out from 180 to 86400 sec.

MGCP

Enable MGCP

Enables or disables the Media Gateway Control Protocol.

Select the check box.

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds; the range is from 10 to 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

Maximum Call Duration

Sets the maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes; the range is from 3 to 720 minutes.

Select a value from 3 through 720 minutes.

 

Transaction Timeout

Specifies a timeout value for MGCP transactions. A transaction is a signalling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The device tracks these transactions and clears them when they time out.

Enter a value from 3 through 50 seconds.

Application Screen

Message Flood Threshold

Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP). This feature is disabled by default.

Enter a value from 2 through 50,000 seconds per media gateway.

Connection Flood Threshold

Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

Enter a value from 2 through 10,000.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

MSRPC

Enable MSRPC

Provides a method for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Select the check box to enable the ALG.

Maximum Group Usage (%)

Specify the maximum group usage (%).

Select the usage % from 10 to 100%.

Map Entry Timeout(min)

Specify the map entry time out.

Select the timeout session from 5 to 4320 min.

SCCP

Enable SCCP

Enables or disables the Skinny Client Control Protocol.

Select the check box.

Inactive Media Timeout

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the gates opened for media are closed.

Select a value from 10 through 600 seconds.

Application Screen

Call Flood Threshold

Protects SCCP ALG clients from flood attacks by limiting the number of calls they attempt to process

Select a value from 2 through 1,000.

Action On Receiving Unknown Messages

Enable Permit NAT Applied

Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

 

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

SIP

Enable SIP

Enables or disables Session Initiation Protocol.

Select the check box.

Enable Retain Hold Resource

Enables or disables whether the device frees media resources for a SIP, even when a media stream is placed on hold. By default, media stream resources are released when the media stream is held.

Select the check box.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 720 minutes.

Select a value from 3 through 720 minutes.

 

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value from 3 through 10 minutes.

T4 Interval

Specifies the maximum time a message remains in the network. The default is 5 seconds; the range is 5 through 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value from 5 through 10 seconds.

 

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds; the range is 10 through 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

T1 Interval

Specifies the roundtrip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value from 500 through 5000 milliseconds.

 

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

Protect Options
Application Screen

SIP Invite Attack Table Entry Timeout

Specifies the time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value from 1 through 3,600 seconds.

Enable Attack Protection

Protects servers against INVITE attacks. Configures the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

Select All Servers or Selected Servers as the options.

When Selected Servers option is selected, UI provides the option to add/delete Destination IPs.

SUNRPC

Enable SUNRPC

Provides amethod for a program running on one host to Select the check box to enable the ALG. call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Select the checkbox to enable SUNRPC.

Maximum Group Usage (%)

Specify the maximum group usage (%).

Select the usage % from 10 to 100%.

Map Entry Timeout

Specify the map entry time out.

Select the timeout session from 5 to 4320 min.