ALG for Tenant Systems
An Application Layer Gateway (ALG) in tenant systems enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server. ALGs supports the applications such as Transfer Protocol (FTP) and various IP protocols that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections. For more information, see the following topics:
Understanding ALG Support for Tenant System
An Application Layer Gateway (ALG) enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server.
Starting in Junos OS Release 18.3R1, the ALG feature supported on logical systems is now extended on tenants systems.
The tenant systems administrator can configure the ALG features for the tenant systems. The primary administrator can configure the ALG features and display the ALG information for all tenants. The tenant systems administrator can only apply configurations and display information in its own tenant.
Each tenant system displays the ALG counters to monitor the
traffic. For example, use commands show security alg sip counters
tenants TN1 to get SIP counters in tenant systems and show
security alg sip counters tenants all to get SIP counters in
all existing tenant systems.
Enabling the security log for the tenant generates the ALG logs per tenant.
When you upgrade to Junos OS Release 18.3R1, the ALG status for each tenant system might be different depending on the default configuration or configuration in a release prior to Junos OS Release 18.3R1. We recommend you to change the ALG configurations for tenant systems as per your requirements after an upgrade to latest Junos OS version.
Enabling and Disabling ALG for Tenant System
This topic shows how to enable or disable the ALG status for each tenant system.
Example: Configuring ALG in Tenant System
This example shows how to configure ALGs in tenant system and send traffic based on FTP ALG configuration of the tenant system individually.
Requirements
This example uses the following hardware and software components:
An SRX device
Junos OS Release 18.3R1
Before you begin:
Read the ALG Support for Tenant System to understand how and where this procedure fits in the overall tenant support for ALGs.
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server on a tenant system.
By default, the FTP ALG is enabled on the tenant system.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile p1 policy maximum 100 set system security-profile p1 policy reserved 50 set system security-profile p1 zone maximum 100 set system security-profile p1 zone reserved 50 set system security-profile p1 flow-session maximum 6291456 set system security-profile p1 flow-session reserved 50 set system security-profile p1 flow-gate maximum 524288 set system security-profile p1 flow-gate reserved 50 set tenants TN1 routing-instances VR_TN1 instance-type vpls set tenants TN1 routing-instances VR_TN1 interface lt-0/0/0.0 set system security-profile p1 tenant TN1 set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic system-services all set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic protocols all set tenants TN1 security zones security-zone TN1_Czone interfaces ge-0/0/0 set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic system-services all set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic protocols all set tenants TN1 security zones security-zone TN1_Szone interfaces ge-0/0/1 set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match source-address any set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match destination-address any set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ftp set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ping set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 then permit set tenants TN1 security policies default-policy deny-all
Configuring FTP ALG in a Tenant System
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure an ALG on a tenant system:
Configure a security profile p1 for tenant.
[edit] set system security-profile p1 policy maximum 100 set system security-profile p1 policy reserved 50 set system security-profile p1 zone maximum 100 set system security-profile p1 zone reserved 50 set system security-profile p1 flow-session maximum 6291456 set system security-profile p1 flow-session reserved 50 set system security-profile p1 flow-gate maximum 524288 set system security-profile p1 flow-gate reserved 50
Configure interfaces and routing instances to the TN1.
[edit] user@host# set tenants TN1 routing-instances VR_TN1 instance-type vpls user@host# set tenants TN1 routing-instances VR_TN1 interface lt-0/0/0.0
Configure a security profile p1 and assign it to the tenant system TN1.
[edit] user@host# set system security-profile p1 tenant TN1
Configure security zones and assign interfaces to each zone.
[edit] user@host# set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic system-services all user@host# set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic protocols all user@host# set tenants TN1 security zones security-zone TN1_Czone interfaces ge-0/0/0 user@host# set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic system-services all user@host# set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic protocols all user@host# set tenants TN1 security zones security-zone TN1_Szone interfaces ge-0/0/1
Configure a security policy that permits FTP traffic from the TN1_Czone to-zone TN1_Szone.
[edit] user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match source-address any user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match destination-address any user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ftp user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ping user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 then permit user@host# set tenants TN1 security policies default-policy deny-all
Results
From configuration mode, confirm your configuration
by entering the show tenants TN1 command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
user@host# show tenants TN1
routing-instances {
VR_TN1 {
instance-type vpls;
interface lt-0/0/0.0;
}
}
security {
policies {
from-zone TN1_Czone to-zone TN1_Szone {
policy p11 {
match {
source-address any;
destination-address any;
application [ junos-ftp junos-ping ];
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone TN1_Czone {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone TN1_Szone {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Intra-Tenant System traffic on ALG
Purpose
Verify the information about active resources, clients, groups, and sessions created through the resource manager.
Action
From operational mode, enter the show security
resource-manager summary command.
user@host> show security resource-manager summary Active resource-manager clients : 0 Active resource-manager groups : 0 Active resource-manager resources : 0 Active resource-manager sessions : 0
Meaning
The output displays summary information about active resources, clients, groups, and sessions created through the resource manager.
Verify ALG status for Tenant System
Purpose
Verify the ALG status for tenant on the device.
Action
To verify the configuration is working properly, enter
the show security alg status tenant TN1 command.
user@host>show security alg status tenant TN1 ALG Status: DNS : Enabled FTP : Enabled H323 : Disabled MGCP : Disabled MSRPC : Enabled PPTP : Enabled RSH : Disabled RTSP : Disabled SCCP : Disabled SIP : Disabled SQL : Disabled SUNRPC : Enabled TALK : Enabled TFTP : Enabled IKE-ESP : Disabled TWAMP : Disabled
Meaning
The output display the alg status for FTP Enabled for the tenant system TN1.