[Next][Report an Error]

Configuring Application Layer Gateways—Quick Configuration

To enable or disable an Application Layer Gateway (ALG) using the J-Web interface:

  1. Select Configure>Security>ALGs.

    All ALGs are enabled by default.

  2. Select the check box next to an ALG, described in Table 215,click one of the following:

Table 215: General Configuration Options

Field

Function

Action

Main

Enable DNS

Provides an ALG for the Domain Name System. The DNS ALG monitors DNS query and reply packets and closes session if the DNS flag indicates the packet is a reply message.

Select the check box to enable the ALG.

Enable FTP

Provides an ALG for the File Transfer Protocol. The FTP ALG monitors PORT, PASV and 227 commands. It performs NAT of IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When the FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when FTP STOR or FTP RETR command is observed.

Select the check box to enable the ALG.

Enable TFTP

Provides an ALG for the Trivial File Transfer Protocol. The TFTP ALG processes TFTP packet that initiate the request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

Select the check box to enable the ALG.

Enable PPTP

Provides an ALG for the Point-to-Point Tunneling Protocol. The PPTP is a layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building Virtual Private Networks (VPNs).

Select the check box to enable the ALG.

Enable REAL

Provides an ALG for the RealAudio and RealVideo Protocol. The REAL ALG processes Progressive Networks Audio (PNA) packets over the TCP connection and looks for the control commands in the packet where the port number is embedded. It performs NAT and opens gates for the UDP data connection.

Select the check box to enable the ALG.

Enable MSRPC

Provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Select the check box to enable the ALG.

Enable SUNRPC

Provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Select the check box to enable the ALG.

Enable RSH

Provides an ALG for the Remote Shell. The RSH ALG handles TCP packets destined for port 514 and process the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Select the check box to enable the ALG.

Enable RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Select the check box to enable the ALG.

Enable SQL

Provides an ALG for the Structured Query Language. The SQLNET ALG processes SQL TNS response frame from the server side. It parses the packet and looks for (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Select the check box to enable the ALG.

Enable TALK

Provides an ALG for the TALK Protocol. The TALK protocol uses UDP port 517 and port 518 for control channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Select the check box to enable the ALG.

H323

Enable H323 ALG

Enable or disable the H.323 ALG

Click the check box.

Application Screen

Message flood gatekeeper threshold

Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter a value

Action on receiving unknown messages    

Permit NAT Applied

Specifies how unidentified H.323 messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable permit routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

Endpoints

Timeout for endpoint

Controls the duration of the entries in the NAT table.

Enter a value between 10 and 50,000 seconds.

Enable permit media from any source port

Allows media traffic from any port number. By default, this feature is disabled. When disabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Enter a value between 1 and 50,000 seconds.

 

MGCP

Enable MGCP ALG

Enables or disables the MGCP ALG.

Click the check box.

Inactive media timeout

Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds, the range is from 10 to 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value between 10 and 2,550 seconds.

 

Maximum call duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 7200 minutes.

Select a value between 3 and 7,200 minutes.

 

Transaction timeout

Specifies a timeout value for MGCP transactions. A transaction is a signalling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The Juniper Networks device tracks these transactions, and clears them when they time out.

Enter a value from 3 to 50 seconds.

Application Screen

Message flood threshold

Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP) Application Layer Gateway (ALG). This feature is disabled by default.

Enter a value from 2 to 50,000 seconds per media gateway.

Connection flood threshold

Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

Enter a value from 2 to 10,000.

Action on receiving unknow message

Enable permit NAT applied

Specifies how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable permit routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

SCCP

Enable SCCP ALG

Enables or disables the SCCP ALG.

Click the check box.

Inactive Media Timeout

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the Skinny Client Control Protocol (SCCP) ALG the gates opened for media are closed.

Select a value from 10 to 600 seconds.

Application Screen

Call Flood Threshold

Protect Skinny Client Control Protocol (SCCP) ALG clients from flood attacks by limiting the number of calls they attempt to process

Select a value from 2 to 1,000.

Action on receiving unknown messges    

Enable Permit NAT Applied

Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

 

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

SIP

Enable SIP ALG

Enables or disables the SIP ALG.

Click the check box.

Enable Retain Hold Resource

Enable or disables whether the device frees media resources for a Session Initiation Protocol (SIP) Application Layer Gateway (ALG), even when a media stream is placed on hold. By default, media stream resources are released when the media stream is held.

Click the check box.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 7200 minutes.

Select a value between 3 and 7,200 minutes.

 

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value between 3 and 10 minutes.

T4 Interval

Specifies the maximum time a message remains in the network. The default is 5 seconds, the range is 5 to 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value between 5and 10 seconds..

 

Inactive Media Timeout

Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds, the range is from 10 to 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value between 10 and 2,550 seconds.

 

T1 Interval

Specifies the roundtrip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value between 500 and 5,00 milliseconds.

 

Application Screen

SIP invite attack table entry timeout

Specifies the amount of time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value between 1 and 3,600 seconds.

Action on receiving unknown message

Enable Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

Protect option

Enable Attack Protection

Protects servers against INVITE attacks. Configure the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

Select All Servers or Selected Servers as the options.


[Next][Report an Error]