ALG for Logical Systems
An Application Layer Gateway (ALG) in logical systems enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server. ALGs supports the applications such as Transfer Protocol (FTP) and various IP protocols that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections. For more information, see the following topics:
Understanding Application Layer Gateway (ALG) in Logical Systems
The primary administrator can configure ALGs at the root level. The configuration is inherited by all user logical systems. ALGs can also be configured discretely for user logical systems. The ALG status is not inherited by all user logical systems. For a newly created logical system, the ALG consists of a default status. The FTP protocol ALG can be enabled or disabled for a specific logical system. The ICMP ALG protocol is enabled by default and is not provisioned to disable.
When an SRX Series Firewall is upgraded to 18.2 release, the ALG status in a logical system is changed when compared with previous status. This change affects the ALG traffic in the logical system. For example, before upgrade, H.323 ALG is configured to enable by root. So H.323 ALG is also enabled in lsys1. After upgrade to 18.2, H.323 ALG status in lsys1 is disabled because the default status for H.323 is disabled for a new logical system.
You can enable a particular ALG for only one specific logical system.
By default, the following ALGs are enabled on a root logical system:
DNS
FTP
MSRPC
PPTP
SUNRPC
TALK
TFTP
Starting in Junos OS Release 18.2R1, you can either enable or disable the ALGs configuration for each logical system individually, and view the status of the ALGs for all logical systems or specific logical system. All 12 data ALGs (DNS, FTP, TFTP, MSRPC, SUNRPC, PPTP, RSH, RTSP, TALK, SQL, IKE, and TWAMP) and four VOIP ALGs (SIP, H.323, MGCP, and SCCP) are supported on the logical systems.
See Also
Enabling and Disabling ALG for Logical System
This topic shows how to enable or disable the ALG status for each logical system.
Example: Enabling FTP ALG in a Logical System
This example shows how to enable or disable an FTP ALG configuration in a logical system and send traffic based on FTP ALG configuration of the logical system individually.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
Overview
In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server on a logical system.
By default, the FTP ALG is enabled on the logical system.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile p1 policy maximum 100 set system security-profile p1 policy reserved 50 set system security-profile p1 zone maximum 100 set system security-profile p1 zone reserved 50 set system security-profile p1 flow-session maximum 6291456 set system security-profile p1 flow-session reserved 50 set system security-profile p1 flow-gate maximum 524288 set system security-profile p1 flow-gate reserved 50 set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1 set logical-systems LSYS0 routing-instances vr0 instance-type vpls set logical-systems LSYS0 routing-instances vr0 interface lt-0/0/0.0 set system security-profile p1 logical-system LSYS0 set system security-profile p1 logical-system LSYS1 set logical-systems LSYS1 interfaces lt-0/0/0 unit 1 encapsulation ethernet set logical-systems LSYS1 interfaces lt-0/0/0 unit 1 peer-unit 0 set logical-systems LSYS1 interfaces lt-0/0/0 unit 1 family inet address 10.0.0.0/8 set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet address 198.51.100.0/24 set logical-systems LSYS1 interfaces ge-0/0/1 unit 0 family inet address 203.0.113.0/24 set logical-systems LSYS1 security zones security-zone LSYS1_tzone host-inbound-traffic system-services all set logical-systems LSYS1 security zones security-zone LSYS1_tzone host-inbound-traffic protocol all set logical-systems LSYS1 security zones security-zone LSYS1_tzone interfaces ge-0/0/0 set logical-systems LSYS1 security zones security-zone LSYS1_utzone host-inbound-traffic system-services all set logical-systems LSYS1 security zones security-zone LSYS1_utzone host-inbound-traffic protocol all set logical-systems LSYS1 security zones security-zone LSYS1_utzone interfaces ge-0/0/1 set logical-systems LSYS1 security policies from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match source-address any set logical-systems LSYS1 security policies from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match destination-address any set logical-systems LSYS1 security policies from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match application junos-ftp set logical-systems LSYS1 security policies from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match application junos-ping set logical-systems LSYS1 security policies from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 then permit set logical-systems LSYS1 security policies default-policy deny-all
Configuring FTP ALG in a Logical System
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure an ALG in a user logical system:
Configure a security profile.
[edit system security-profile] user@host#set p1 policy maximum 100 user@host#set p1 policy reserved 50 user@host#set p1 zone maximum 100 user@host#set p1 zone reserved 50 user@host#set p1 flow-session maximum 6291456 user@host#set p1 flow-session reserved 50 user@host#set p1 flow-gate maximum 524288 user@host#set p1 flow-gate reserved 50
Configure the primary logical system.
Step-by-Step Procedure
Create the primary logical system
[edit logical-systems] user@host#set LSYS0 user@host#set LSYS1
Configure interfaces for a primary logical system and configure logical tunnel interfaces and routing instances to the LSYS0.
[edit interfaces] user@host#set lt-0/0/0 unit 0 encapsulation ethernet-vpls user@host#set lt-0/0/0 unit 0 peer-unit 1 user@host#set routing-instances vr0 instance-type vpls user@host#set routing-instances vr0 interface lt-0/0/0.0
Configure a security profile p1 and assign it to the root logical system LSYS0.
[edit system security-profile] user@host#set p1 logical-system LSYS0
Configure a user logical system.
Step-by-Step Procedure
Create the user logical system LSYS1
[edit logical-systems] user@host#set LSYS1
Configure user logical and logical tunnel interfaces to transfer traffic within the logical system.
[edit interfaces] user@host#set ge-0/0/0 unit 0 family inet address 198.51.100.0/24 user@host#set ge-0/0/1 unit 0 family inet address 203.0.113.0/24 user@host#set lt-0/0/0 unit 1 encapsulation ethernet user@host#set lt-0/0/0 unit 1 peer-unit 0 user@host#set lt-0/0/0 unit 1 family inet address 10.0.0.0/8
Assign a security profile p1 to LSYS1.
[edit system security-profile] user@host#set p1 logical-system LSYS1
Configure security zones and assign interfaces to each zone.
[edit security zones] user@host#set security-zone LSYS1_tzone host-inbound-traffic system-services all user@host#set security-zone LSYS1_tzone host-inbound-traffic protocol all user@host#set security-zone LSYS1_tzone interfaces ge-0/0/0 user@host#set security-zone LSYS1_utzone host-inbound-traffic system-services all user@host#set security-zone LSYS1_utzone host-inbound-traffic protocol all user@host#set security-zone LSYS1_utzone interfaces ge-0/0/1
Configure a security policy that permits FTP traffic from the LSYS1_tzone to LSYS1_utzone.
[edit security policies] user@host#set from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match source-address any user@host#set from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match destination-address any user@host#set from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match application junos-ftp user@host#set from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 match application junos-ping user@host#set from-zone LSYS1_tzone to-zone LSYS1_utzone policy p11 then permit user@host#set default-policy deny-all
Results
From configuration mode, confirm the configuration
for LSYS0 and LSYS1 by entering the show logical-systems. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host#show logical-systems LSYS0
interfaces {
lt-0/0/0 {
unit 0 {
encapsulation ethernet-vpls;
peer-unit 1;
}
unit 2 {
encapsulation ethernet-vpls;
peer-unit 3;
}
}
}
routing-instances {
vr0 {
instance-type vpls;
interface lt-0/0/0.0;
interface lt-0/0/0.2;
}
}
user@host#show logical-systems LSYS1
interfaces {
lt-0/0/0 {
unit 1 {
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.0.1.1/24;
}
}
}
reth0 {
unit 0 {
family inet {
address 198.51.100.0/24;
}
}
}
}
security {
alg{
ftp;
}
policies {
from-zone LSYS1_tzone to-zone LSYS1_utzone {
policy P11 {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ftp ];
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone LSYS1_tzone {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone LSYS1_utzone {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lt-0/0/0.1;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verify ALG status for user logical system
- Verify ALG status for all the logical systems
- Verifying Intra-Logical System Traffic on a Logical System
Verify ALG status for user logical system
Purpose
Verify alg status for FTP is enabled.
Action
To verify the configuration is working properly, enter
the show security alg status logical-system LSYS1 command.
user@host> show security alg status logical-system LSYS1
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : DisabledMeaning
The output displays the alg status for FTP Enabled for the logical system LSYS1.
Verify ALG status for all the logical systems
Purpose
Verify the ALG status for all the logical systems on the device.
Action
To verify the configuration is working properly, enter
the show security alg status logical-system all command.
user@host> show security alg status logical-system all
Logical system: root-logical-system
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Disabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Logical system: LSYS3
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Logical system: LSYS1
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Logical system: LSYS2
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Logical system: LSYS0
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Disabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Meaning
The output displays the ALG status for all the logical systems on the device.
Verifying Intra-Logical System Traffic on a Logical System
Purpose
Verify the information about active resources, clients, groups, and sessions created through the resource manager.
Action
From operational mode, enter the show security
resource-manager summary command.
user@host> show security resource-manager summary
Active resource-manager clients : 16
Active resource-manager groups : 3
Active resource-manager resources : 26
Active resource-manager sessions : 4
Meaning
The output displays summary information about active resources, clients, groups, and sessions created through the resource manager.