Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Juniper Service Framework – Application-Level Gateways, Rules, and Services Set

    ALGs intercept and analyze specified traffic, allocate resources, and define dynamic policies to permit traffic to pass securely through a device. You may use JSF ALGs with the SFW and NAT.

    To use JSF to run ALGs, you must configure the jservices-nat, jservices-alg, and jservices-sfw package at the hierarchy level. In addition, you must configure SFW rules and a services set with a Multiservice interface. This section includes the following tasks:

    1. Configuring the JSF Application-Level Gateways Package
    2. Configuring Stateful Firewall with ALGs
    3. Configuring Network Address Translation with ALGs

    Configuring the JSF Application-Level Gateways Package

    To configure the JSF services:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit chassis
    2. In the hierarchy level, configure the FPC and PIC.
      [edit chassis]user@host# edit fpc slot pic slot

      In this example, the FPC is in slot 1 and the PIC is in slot 0:

      [edit chassis]user@host# edit fpc 1 pic 0
    3. Configure the number of cores dedicated to run control functionality.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider control-cores control-cores

      In this example, the number of control cores is 1.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider control-cores 1
    4. Configure the number of processing cores dedicated to data.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider data-cores data-cores

      In this example, the number of data cores is 7.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider data-cores 7
    5. Configure the size of the object cache in MB. Only values in increments of 128 MB are allowed and the maximum value of object cache can be 1280 MB. On MS-100 the value is 512 MB. To configure the size of the cache:
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider object-cache-size object-cache-size

      In this example, the size of the object cache is 1280 MB.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider object-cache-size 1280
    6. Configure the size of the policy database in MB.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider policy-db-size policy-db-size

      In this example, the size of the policy database is 64 MB.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider policy-db-size 64
    7. Configure the package.
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider package package

      In this example, the first package is jservices-nat, the second package is jservices-alg, and the third package is jservices-sfw.

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider package jservices-nat user@host# set adaptive-services service-package extension-provider package jservices-alg user@host# set adaptive-services service-package extension-provider package jservices-sfw
    8. Configure the extension provider system log, to enable PIC system logging to record or view system log messages:
      [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider syslog syslog

      In this example syslog is set to daemon any and external any:

      [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog daemon any [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog external any
    9. Verify the configuration.
      [edit chassis]
user@host# show chassis 
fpc 1 {
    pic 0 {
        adaptive-services {
            service-package {
                extension-provider {
                    control-cores 1;
                    data-cores 7;
                    object-cache-size 1280;
                    policy-db-size 64;
                    package jservices-nat;
                    package jservices-alg;
                    package jservices-sfw;
                    syslog {
                        daemon any;
                        external any;
                    }
                }
            }
        }
    }
}
    10. Verify for ALG errors in the configuration.
      host@user# run show services alg statistics
Interface name: ms-1/1/0
FTP ALG statistics:
Packets dropped : 0
ALG parser errors : 0
Packets translated : 0

Interface name: ms-1/1/0
RPC ALG statistics:
Call packet with rpcbind2 : 2
Call packet with rpcbind3 : 0
Call packet with rpcbind4 : 0
Invalid rpcbind call : 0
Reply packet with rpcbind2: 2
Reply packet with rpcbind3: 0
Reply packet with rpcbind4: 0
Invalid rpcbind reply : 0
Copyright © 2011, Juniper Networks, Inc. 7
Packets fragmented : 0
Packets dropped : 0
Packets released : 0

Interface name: ms-0/1/0
RTSP ALG statistics:
Packets exceeded maximum length : 0
Packets dropped by ALG : 0
Number of describe messages received : 8
Number of setup messages received : 30
Number of teardown messages received : 7

    Configuring Stateful Firewall with ALGs

    To configure the stateful firewall rule:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit services
    2. Configure the Stateful Firewall rule.
      [edit services]user@host# set stateful-firewall rule rule

      In this example, the SFW rule is rule1 match-direction input-output.

      [edit services]user@host# set stateful-firewall rule rule1 match-direction input-output
    3. Configure the rule input conditions for a rule to define the stateful firewall term.
      [edit services]user@host# set stateful-firewall rule rule

      In this example, the rule input conditions are rule1 term term1 from applications junos-ftp, rule1 term term1 from applications junos-sqlnet, rule1 term term1 from applications junos-pptp, rule1 term term1 from applications junos-talk-udp, rule1 term term1 from applications junos-dns-udp, rule1 term term1 from applications junos-rtsp, and rule1 term term1 from applications junos-sip.

      [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-ftp [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-sqlnet [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-pptp [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-talk-udp [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-dns-udp [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-rtsp [edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-sip
    4. Configure the rule for the stateful firewall term actions.
      [edit services]user@host# set stateful-firewall rule rule

      In this example, the rule is rule1 term term1 then accept.

      [edit services]user@host# set stateful-firewall rule rule1 term term1 then accept
    5. Verify the configuration.
      [edit services]
stateful-firewall {
    rule rule1 {
        match-direction input-output;
        term term1 {
            from {
                applications [ junos-ftp junos-sqlnet junos-pptp junos-talk-udp junos-dns-udp junos-rtsp junos-sip ]; 
            }
            then {
                accept;
            }
        }
    }
}

    Configuring Network Address Translation with ALGs

    To configure the NAT pool and NAT rule:

    1. In configuration mode, go to the following hierarchy level:
      user@host# edit services
    2. Configure the NAT pool.
      [edit services]user@host# set nat pool pool

      In this example, the NAT pool is p1.

      [edit services]user@host# set nat pool p1
    3. Configure the NAT pool address.
      [edit services]user@host# set nat pool p1 address address

      In this example, the NAT pool address is 20.1.1.10/32.

      [edit services]user@host# set nat pool p1 address 20.1.1.10/32;
    4. Configure the NAT pool port.
      [edit services]user@host# set nat pool p1 port port;

      In this example, the NAT pool port is automatic.

      [edit services]user@host# set nat pool p1 port automatic;
    5. Configure the rule.
      [edit services]user@host# set nat rule rule

      In this example, the rule is r1.

      [edit services]user@host# set nat rule r1
    6. Configure the match direction.
      [edit services]user@host# set nat rule r1 match-direction match-direction

      In this example, the match direction is input.

      [edit services]user@host# set nat rule r1 match-direction input
    7. Configure the term.
      [edit services]user@host# set nat rule r1 term term

      In this example, the term is t1.

      [edit services]user@host# set nat rule r1 term t1
    8. Configure the input conditions for the NAT term.
      [edit services]user@host# set nat rule r1 term t1 from from

      In this example, the input conditions are applications junos-ftp, applications junos-sqlnet, applications junos-pptp, applications junos-talk-udp, applications junos-dns-udp, applications junos-rtsp, and applications junos-sip.

      [edit services]user@host# set nat rule r1 term t1 from applications junos-ftp [edit services]user@host# set nat rule r1 term t1 from applications junos-sqlnet [edit services]user@host# set nat rule r1 term t1 from applications junos-pptp [edit services]user@host# set nat rule r1 term t1 from applications junos-talk-udp [edit services]user@host# set nat rule r1 term t1 from applications junos-dns-udp [edit services]user@host# set nat rule r1 term t1 from applications junos-rtsp [edit services]user@host# set nat rule r1 term t1 from applications junos-sip
    9. Configure the NAT term action.
      [edit services]user@host# set nat rule r1 term then then

      In this example, the term action is translated.

      [edit services]user@host# set nat rule r1 term t1 then translated
    10. Configure the properties for translated traffic.
      [edit services]user@host# set nat rule r1 term then translated translated

      In this example, the property for the translated traffic is source-pool p1.

      [edit services]user@host# set nat rule r1 term t1 then translated source-pool p1
    11. Configure the properties for translated traffic transaction type.
      [edit services]user@host# set nat rule r1 term then translated transaction type transaction type

      In this example, the property for the translated traffic is source dynamic.

      [edit services]user@host# set nat rule r1 term t1 then translated translation-type source dynamic
    12. Verify the configuration.
      [edit services]
user@host# show 
services {
        nat {
            pool p1 {
                address 20.1.1.10/32;
                port automatic
            }
            rule r1 {
                match-direction input;
                term t1 {
                    from {
		       applications [ junos-ftp junos-sqlnet junos-pptp 
                                      junos-talk-udp junos-dns-udp junos-rtsp junos-sip ];	
                    }
                    then {
                        translated {
                            source-pool p1;
                            translation-type {
                                source dynamic;
                            }
                        }
                    }
                }
            }
        }
    }

    Published: 2012-07-02

    Previous Page Next Page