ALG Configuration Page Options

  1. Select Configure>Security>ALG.

    The ALG configuration page appears. Table 237 explains the contents of this page.

  2. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Reset—Resets your entries and returns to the main configuration page.

Table 237: ALG Configuration Options

Field

Function

Action

Main

Enable DNS

Provides an ALG for the domain name system. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.

Select the check box to enable the ALG.

Enable FTP

Provides an ALG for File Transfer Protocol. The FTP ALG monitors PORT, PASV, and 227 commands. It performs Network Address Translation (NAT) on IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when it detects an FTP STOR or FTP RETR command.

Select the check box to enable the ALG.

Enable TFTP

Provides an ALG for Trivial File Transfer Protocol. The TFTP ALG processes TFTP packets that initiate a request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

Select the check box to enable the ALG.

Enable PPTP

Provides an ALG for Point-to-Point Tunneling Protocol. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building VPNs.

Select the check box to enable the ALG.

Enable REAL

Provides an ALG for RealAudio and RealVideo protocol. The REAL ALG processes Progressive Networks Audio (PNA) packets over the TCP connection and looks for the control commands in the packet where the port number is embedded. It performs NAT and opens gates for the UDP data connection.

Select the check box to enable the ALG.

Enable MSRPC

Provides a method for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Select the check box to enable the ALG.

Enable SUNRPC

Provides a method for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Select the check box to enable the ALG.

Enable RSH

Provides an ALG for the remote shell. The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Select the check box to enable the ALG.

Enable RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Select the check box to enable the ALG.

Enable SQL

Provides an ALG for Structured Query Language. The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for the (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Select the check box to enable the ALG.

Enable TALK

Provides an ALG for the TALK protocol. The TALK protocol uses UDP port 517 and port 518 for control-channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Select the check box to enable the ALG.

H323

Enable H323 ALG

Enables or disables the H.323 ALG.

Select the check box.

Application Screen

Message Flood Gatekeeper Threshold

Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter a value.

Action On Receiving Unknown Messages

Enable Permit NAT Applied

Specifies how unidentified H.323 (unsupported) messages are handled by the device. The default is to drop unknown messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

Endpoints

Timeout For Endpoint

Controls the duration of the entries in the NAT table.

Enter a value from 10 through 50,000 seconds.

Enable Permit Media From Any Source Port

Allows media traffic from any port number. By default, this feature is disabled. When enabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Enter a value from 1 through 50,000 seconds.

 

MGCP

Enable MGCP

Enables or disables the Media Gateway Control Protocol.

Select the check box.

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds; the range is from 10 to 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

Maximum Call Duration

Sets the maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes; the range is from 3 to 7200 minutes.

Select a value from 3 through 7,200 minutes.

 

Transaction Timeout

Specifies a timeout value for MGCP transactions. A transaction is a signalling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The device tracks these transactions and clears them when they time out.

Enter a value from 3 through 50 seconds.

Application Screen

Message Flood Threshold

Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP). This feature is disabled by default.

Enter a value from 2 through 50,000 seconds per media gateway.

Connection Flood Threshold

Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

Enter a value from 2 through 10,000.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

SCCP

Enable SCCP

Enables or disables the Skinny Client Control Protocol.

Select the check box.

Inactive Media Timeout

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the gates opened for media are closed.

Select a value from 10 through 600 seconds.

Application Screen

Call Flood Threshold

Protects SCCP ALG clients from flood attacks by limiting the number of calls they attempt to process

Select a value from 2 through 1,000.

Action On Receiving Unknown Messages

Enable Permit NAT Applied

Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

 

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

SIP

Enable SIP

Enables or disables Session Initiation Protocol.

Select the check box.

Enable Retain Hold Resource

Enables or disables whether the device frees media resources for a SIP, even when a media stream is placed on hold. By default, media stream resources are released when the media stream is held.

Select the check box.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 7200 minutes.

Select a value from 3 through 7,200 minutes.

 

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value from 3 through 10 minutes.

T4 Interval

Specifies the maximum time a message remains in the network. The default is 5 seconds; the range is 5 through 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value from 5 through 10 seconds.

 

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds; the range is 10 through 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

T1 Interval

Specifies the roundtrip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value from 500 through 5,00 milliseconds.

 

Application Screen

SIP Invite Attack Table Entry Timeout

Specifies the time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value from 1 through 3,600 seconds.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

Protect Options

Enable Attack Protection

Protects servers against INVITE attacks. Configures the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

Select All Servers or Selected Servers as the options.

Related Documentation