Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ALG for Logical Systems

An Application Layer Gateway (ALG) in logical systems enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server. ALGs supports the applications such as Transfer Protocol (FTP) and various IP protocols that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections. For more information, see the following topics:

Understanding Application Layer Gateway (ALG) in Logical Systems

The primary administrator can configure ALGs at the root level. The configuration is inherited by all user logical systems. ALGs can also be configured discretely for user logical systems. The ALG status is not inherited by all user logical systems. For a newly created logical system, the ALG consists of a default status. The FTP protocol ALG can be enabled or disabled for a specific logical system. The ICMP ALG protocol is enabled by default and is not provisioned to disable.

Note:

When an SRX device is upgraded to 18.2 release, the ALG status in a logical system is changed when compared with previous status. This change affects the ALG traffic in the logical system. For example, before upgrade, H.323 ALG is configured to enable by root. So H.323 ALG is also enabled in lsys1. After upgrade to 18.2, H.323 ALG status in lsys1 is disabled because the default status for H.323 is disabled for a new logical system.

Note:

You can enable a particular ALG for only one specific logical system.

By default, the following ALGs are enabled on a root logical system:

  • DNS

  • FTP

  • MSRPC

  • PPTP

  • SUNRPC

  • TALK

  • TFTP

Starting in Junos OS Release 18.2R1, you can either enable or disable the ALGs configuration for each logical system individually, and view the status of the ALGs for all logical systems or specific logical system. All 12 data ALGs (DNS, FTP, TFTP, MSRPC, SUNRPC, PPTP, RSH, RTSP, TALK, SQL, IKE, and TWAMP) and four VOIP ALGs (SIP, H.323, MGCP, and SCCP) are supported on the logical systems.

Enabling and Disabling ALG for Logical System

This topic shows how to enable or disable the ALG status for each logical system.

  1. By Default IKE ALG is disabled on the logical system. To enable this ALG, use the following command.
    • Enable IKE and ESP ALG with NAT.

  2. By default, the DNS, FTP, PPTP, SIP, SUNRPC and TWAMP ALGs are enabled on the logical system. To disable these ALGs, use the following commands.
    • Disable DNS ALG.

    • Disable FTP ALG.

    • Disable H323 ALG.

    • Disable MGCP ALG.

    • Disable MSRPC ALG.

    • Disable PPTP ALG.

    • Disable RSH ALG.

    • Disable RTSP ALG.

    • Disable SCCP ALG.

    • Disable SIP ALG.

    • Disable SQL ALG.

    • Disable SUNRPC ALG.

    • Disable TALK ALG.

    • Disable TFTP ALG.

  3. Configuring ALG functions in logical systems.
    • Configure DNS ALG.

    • Configure FTP ALG.

    • Configure H323 ALG.

    • Configure IKE and ESP ALG with NAT.

    • Configure MGCP ALG.

    • Configure MSRPC ALG.

    • Configure PPTP ALG.

    • Configure RSH ALG.

    • Configure RTSP ALG.

    • Configure SCCP ALG.

    • Configure SIP ALG.

    • Configure SQL ALG.

    • Configure SUNRPC ALG.

    • Configure TALK ALG.

    • Configure TFTP ALG.

    • Configure TWAMP ALG.

    • Configure extended function for FTP ALG.

    • Configure extended function for MSRPC ALG.

    • Configure extended function for SUNRPC ALG.

    • Configure extended function for SIP ALG.

Example: Enabling FTP ALG in a Logical System

This example shows how to enable or disable an FTP ALG configuration in a logical system and send traffic based on FTP ALG configuration of the logical system individually.

Requirements

Before you begin:

Overview

In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server on a logical system.

By default, the FTP ALG is enabled on the logical system.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring FTP ALG in a Logical System

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an ALG in a user logical system:

  1. Configure a security profile.

  2. Configure the primary logical system.

    Step-by-Step Procedure
    1. Create the primary logical system

    2. Configure interfaces for a primary logical system and configure logical tunnel interfaces and routing instances to the LSYS0.

    3. Configure a security profile p1 and assign it to the root logical system LSYS0.

  3. Configure a user logical system.

    Step-by-Step Procedure

    1. Create the user logical system LSYS1

    2. Configure user logical and logical tunnel interfaces to transfer traffic within the logical system.

    3. Assign a security profile p1 to LSYS1.

    4. Configure security zones and assign interfaces to each zone.

  4. Configure a security policy that permits FTP traffic from the LSYS1_tzone to LSYS1_utzone.

Results

From configuration mode, confirm the configuration for LSYS0 and LSYS1 by entering the show logical-systems. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify ALG status for user logical system

Purpose

Verify alg status for FTP is enabled.

Action

To verify the configuration is working properly, enter the show security alg status logical-system LSYS1 command.

Meaning

The output displays the alg status for FTP Enabled for the logical system LSYS1.

Verify ALG status for all the logical systems

Purpose

Verify the ALG status for all the logical systems on the device.

Action

To verify the configuration is working properly, enter the show security alg status logical-system all command.

Meaning

The output displays the ALG status for all the logical systems on the device.

Verifying Intra-Logical System Traffic on a Logical System

Purpose

Verify the information about active resources, clients, groups, and sessions created through the resource manager.

Action

From operational mode, enter the show security resource-manager summary command.

Meaning

The output displays summary information about active resources, clients, groups, and sessions created through the resource manager.