Understanding Data ALG Types
Junos OS supports the data ALG types listed in Table 1.
Table 1: Data ALG Types
Provides an ALG for the Domain Name System. The DNS ALG monitors DNS query and reply packets and closes session if the DNS flag indicates the packet is a reply message.
Dynamic DNS (DDNS) is an addition to the DNS standard. DDNS updates a DNS server with new or changed records for IP addresses without the need for human intervention. Unlike DNS that only works with static IP addresses, DDNS is also designed to support dynamic IP addresses, such as those assigned by a DHCP server. DDNS is a good option for home networks, which often receive dynamic public IP addresses from their Internet provider that occasionally changes.
Provides an ALG for the File Transfer Protocol (FTP).The FTP ALG monitors PORT, PASV, and 227 commands. It performs NAT on the IP, port, or both in the message and gate opening on the device as necessary.
IKE and ESP ALG
Monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.
Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.
Note: If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required. If there are NAT-T capable clients, the user must enable the source NAT address persistence.
Provides an ALG for the Microsoft Remote Procedure Call.
Provides an ALG for the Point-to-Point Tunneling Protocol (PPTP). The PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and it is also popularly applied on Linux systems, and is widely deployed for building Virtual Private Networks (VPNs).
Provides an ALG for the Remote Shell (RSH). The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.
Provides an ALG for the Real Time Streaming Protocol (RTSP). RTSP is a standard protocol for streaming media applications. It controls the delivery of data with real-time properties such as audio and video.
Provides an ALG for the Structured Query Language (SQL). The SQLNET ALG processes SQL TNS response frame from the server side. It parses the packet and looks for the (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.
Provides an ALG for the SUN Remote Procedure Call.
Provides an ALG for the TALK Protocol. The TALK protocol uses UDP port 517 and port 518 for control channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.
Provides an ALG for the Trivial File Transfer Protocol (TFTP). The TFTP ALG processes TFTP packets that initiate the request and opens a gate to allow return packets from the reverse direction to the port that sends the request.
The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices in a network that supports the protocols in the TWAMP framework. The TWAMP consists of two interrelated protocols –TWAMP-Control and TWAMP-Test.
For information about enabling and configuring each of these ALGs through J-Web, select the Configure>Security>ALG page in the J-Web user interface and click Help.
Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, SRX5400, SRX5600, and SRX5800 devices with the SRX5K-MPC (IOC2), SRX5K-MPC3-100G10G (IOC3), and SRX5K-MPC3-40G10G (IOC3) support Express Path (formerly known as services offloading) for ALG traffic.
Starting in Junos OS Release 19.3R1, SRX5400, SRX5600, and SRX5800 devices with the IOC4 (SRX5K-IOC4-MRAT and SRX5K-IOC4-10G) support Express Path (formerly known as services offloading) for ALG traffic.
The following ALG data traffic supports Express Path—FTP, H.323 (only RTP/RTCP sessions are offloaded), MGCP, MS RPC, RSH, RTSP, SCCP, SIP (only RTP/RTCP sessions are offloaded), Sun RPC, TALK (only TCP sessions are offloaded), and TFTP.
DNS, IKE and ESP, PPTP, and SQL-NET ALG data traffic do not support Express Path.
Once an Express Path session is set up, packets cannot be sent to the SPU again.