Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

About the ALG Page

You are here: Security Services > ALG.

Use this page to configure Application Layer Gateway (ALG).

Field Descriptions

Table 1 describes the fields on the ALG page.

Once the configuration is complete, click OK to save the changes or click Reset to revert back the changes.

Table 1: Fields on the ALG Page

Field

Description

Main

Enable PPTP

Select the check box to enable the Point-to-Point Tunneling Protocol (PPTP) for ALG.

PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building VPNs.

Enable RSH

Select the check box to enable RSH for ALG.

The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Enable RTSP

Select the check box to enable the Real-Time Streaming Protocol (RTSP) for ALG.

Enable SQL

Select the check box to enable Structured Query Language (SQL) for ALG.

The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for the (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Enable TALK

Select the check box to enable the TALK protocol for ALG.

The TALK protocol uses UDP port 517 and port 518 for control-channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Enable TFTP

Select the check box to enable the Trivial File Transfer Protocol (TFTP) for ALG.

The TFTP ALG processes TFTP packets that initiate a request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

DNS

Enable DNS

Select the check box to enable the domain name system (DNS) for ALG.

The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.

Doctoring

Select one of the following options:

  • Sanity Check—Performs only DNS ALG sanity checks.

  • None—Disables all DNS ALG doctoring.

Maximum Message length

Select a number to specify the maximum DNS message length.

Range: 512 through 8192 bytes.

Enable Oversize message drop.

Select the check box to enable oversize message drop.

FTP

Enable FTP

Select the check box to enable the File Transfer Protocol (FTP) for ALG.

The FTP ALG monitors PORT, PASV, and 227 commands. It performs Network Address Translation (NAT) on IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when it detects an FTP STOR or FTP RETR command.

Enable allow mismatch IP address

Select the check box to allow any mismatch in IP address.

Enable FTPs Extension

Select the check box to enable secure FTP and FTP SSL protocols.

Enable line Break Extension

Select the check box to enable line-break-extension.

This option will enable the FTP ALG to recognize the LF as line break in addition to the standard CR+LF (carriage return, followed by line feed).

H323

Enable H323

Select the check box to enable the H.323 ALG.

Application Screen

Specify the security screens for the H.323 protocol ALG.

Enter the following details:

  • Message Flood Gatekeeper Threshold—Enter a value. The value range is 1 to 50000 messages per second.

    Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

  • Action on receiving unknown message:

    • Enable Permit NAT Applied—Select the check box to specify how unidentified H.323 (unsupported) messages are handled by the device.

      The default is to drop unknown messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

      This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

    • Enable Permit Routed—Select the check box to specify that unknown messages be allowed to pass if the session is in route mode.

      Sessions in transparent mode are treated as though they are in route mode.

DSCP Code Rewrite

Code Point—Select a 6-bit string from the list.

Specifies a rewrite-rule for the traffic that passes through a voice over IP Application Layer Gateway (VoIP ALG). The value of code point is in binary format.

The VoIP rewrite rules modifies the appropriate class of service (CoS) bits in an outgoing packet through Differentiated Services Code Point (DSCP) mechanism that improves the VoIP quality in a congested network.

Endpoints

Enter the following details:

  • Timeout For Endpoint—Enter a timeout value in seconds for entries in the NAT table.

    Range: 10 through 50,000 seconds

    Controls the duration of the entries in the NAT table.

  • Enable Permit Media From Any Source Port—Select this option to allow media traffic from any port number.

IKE-ESP

Enable IKE-ESP

Select the check box to enable IKE-ESP.

ESP Gate Timeout (sec)

Select the gate timeout from 2 to 30 seconds.

ESP Session Timeout (sec)

Select the ESP timeout session from 60 to 2400 seconds.

ALG State Timeout (Sec)

Select the ALG state time out from 180 to 86400 sec.

MGCP

Enable MGCP

Select the check box to enable the Media Gateway Control Protocol (MGCP).

Inactive Media Timeout

Select a value to specify the maximum amount of time that the temporary openings in the firewall (pinholes) remain open for media if no activity is detected. range is from 10 through 2,550 seconds.

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds; the range is from 10 to 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Maximum Call Duration

Select a value from 3 through 720 minutes.

Sets the maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes; the range is from 3 to 720 minutes.

Transaction Timeout

Enter a value from 3 through 50 seconds to specify

Specifies a timeout value for MGCP transactions. A transaction is a signaling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The device tracks these transactions and clears them when they time out.

Application Screen

Enter the following details:

  • Message Flood Threshold—Enter a value from 2 through 50,000 seconds per media gateway.

    Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP). This feature is disabled by default.

  • Connection Flood Threshold—Enter a value from 2 through 10,000.

    Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

  • Action On Receiving Unknown Message—Enter any of the following:

    • Enable Permit NAT Applied—Select the check box to specify how unidentified MGCP messages are handled by the Juniper Networks device.

      The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

    • Enable Permit Routed—Select the check box.

      Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

DSCP Code Rewrite

Specifies a code-point alias or bit set to apply to a forwarding class for a rewrite rule.

Code Point—Enter a six-bit DSCP code point value.

MSRPC

Enable MSRPC

Select the check box to enable the MSRPC.

Provides a method for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Maximum Group Usage (%)

Select the group usage % from 10 to 100%.

Map Entry Timeout (min)

Select the map entry timeout session from 5 to 4320 minutes.

SCCP

Enable SCCP

Select the check box to enable the Skinny Client Control Protocol.

Inactive Media Timeout

Select a value from 10 through 600 seconds.

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the gates opened for media are closed.

Application Screen

Call Flood Threshold—Select a value from 2 through 1,000.

Protects SCCP ALG clients from flood attacks by limiting the number of calls they attempt to process.

Action On Receiving Unknown Messages

  • Enable Permit NAT Applied—Select the check box.

    Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

    This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

  • Enable Permit Routed—Select the check box.

    Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

DSCP Code Rewrite

Code Point—Enter a six-bit DSCP code point value.

SIP

Enable SIP

Select the check box to enable Session Initiation Protocol (SIP).

Enable Retain Hold Resource

Select the check box to enable whether the device frees media resources for a SIP, even when a media stream is placed on hold.

By default, media stream resources are released when the media stream is held.

Maximum Call Duration

Select a value from 3 through 720 minutes.

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 720 minutes.

C Timeout

Select a value from 3 through 10 minutes.

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

T4 Interval

Select a value from 5 through 10 seconds.

Specifies the maximum time a message remains in the network. The default is 5 seconds; the range is 5 through 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Inactive Media Timeout

Select a value from 10 through 2,550 seconds.

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds; the range is 10 through 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

T1 Interval

Select a value from 500 through 5000 milliseconds.

Specifies the round-trip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Application Screen

Action On Receiving Unknown Message:

  • Enable Permit NAT Applied—Select the check box to enable handling unidentified SIP messages by the device.

    This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

  • Enable Permit Routed—Select the check box to enable to allow unknown messages to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Protect Options

  • SIP Invite Attack Table Entry Timeout—Enter a value from 1 through 3,600 seconds.

    Specifies the time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

  • Enable Attack Protection—Select one of the options: All Servers, Selected Servers, or None.

    Protects servers against INVITE attacks. Configures the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

    When you select Selected Servers, enter the destination IP address and click +. You can select the destination IP address and click X to delete it.

DSCP Code Rewrite

Code Point—Enter a six-bit DSCP code point value.

SUNRPC

Enable SUNRPC

Select the check box to enable SUNRPC.

Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Maximum Group Usage (%)

Select the maximum group usage % from 10 to 100%.

Map Entry Timeout

Select the map entry timeout session from 5 to 4320 minutes.