[Prev][Next][Report an Error]

Configuring Application Layer Gateways

Configuring Application Layer Gateways—Quick Configuration

You can use J-Web Quick Configuration to quickly enable or disable JUNOS Enhanced Services Application Layer Gateways (ALGs). All ALGs are enabled by default.

The ALG module is responsible for application-layer aware packet processing. ALG functionality can be triggered either by a service or application configured in the policy. ALGs for packets destined to well-known ports are triggered by service type. When a packet arrives at the Services Router, the flow module forwards the packet according to the security rule set in the policy. If a policy is found to permit the packet, the associated service type or application type is assigned and a session is created for this type of traffic. If a session is found for the packet, no policy rule match is needed. ALG module is triggered if that particular service or application type requires the supported ALG processing.

The ALG also inspects the packet for embedded IP address and port information in the packet payload, and performs Network Address Translation (NAT) processing if necessary. The ALG also opens a gate for the IP address and port number to permit data exchange for the session. The control session and data session can be coupled to have the same timeout value, or they can be independent.

To enable or disable an ALG with Quick Configuration:

  1. Select Configuration > Quick Configuration > ALG > General ALG. The figure below the VPN quick configuration page.

    Figure 75: General ALG Configuration Settings

    General ALG Configuration Settings

  2. Check or uncheck a check box next to an ALG, described in the table below, then click one of the following buttons:

Field

Function

Action

Multimedia Application Protocols

REAL

Provides an ALG for the RealAudio and RealVideo Protocol. The REAL ALG processes Progressive Networks Audio (PNA) packets over the TCP connection and looks for the control commands in the packet where the port number is embedded. It performs NAT and opens gates for the UDP data connection.

Check or uncheck a check box.

RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Check or uncheck a check box.

Basic Internet Protocols

DNS

Provides an ALG for the Domain Name System.The DNS ALG monitors DNS query and reply packets and closes session if the DNS flag indicates the packet is a reply message.

Check or uncheck a check box.

FTP

Provides an ALG for the File Transfer Protocol. The FTP ALG monitors PORT, PASV and 227 commands. It performs NAT of IP/port in the message and gate opening on the security device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When the FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when FTP STOR or FTP RETR command is observed.

Check or uncheck a check box.

TFPT

Provides an ALG for the Trivial File Transfer Protocol. The TFTP ALG processes TFTP packet that initiate the request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

File Transfer Protocol.

TALK

Provides an ALG for the TALK Protocol. The TALK protocol uses UDP port 517 and port 518 for control channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Check or uncheck a check box.

RSH

Provides an ALG for the Provides an ALG for the Remote Shell. The RSH ALG handles TCP packets destined for port 514 and process the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Check or uncheck a check box.

PPTP

Provides an ALG for the Point-to-Point Tunneling Protocol. The PPTP is a layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building Virtual Private Networks (VPNs).

Check or uncheck a check box.

Database and Network Support Protocols

SQL

Provides an ALG for the Structured Query Language. The SQLNET ALG processes SQL TNS response frame from the server side. It parses the packet and looks for (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Check or uncheck a check box.


[Prev][Next][Report an Error]