security alg basic

8/10/2019 Security Alg Basic

1/58

Junos OS

ALG Basics for Security Devices

Release

12.1

Published: 2012-08-30

Copyright 2012, Juniper Networks, Inc.


2/58

Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright 1986-1997,Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no partof them is in thepublic domain.

This product includes memory allocation software developed by Mark Moraes,copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All othertrademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518,6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS ALG Basics for Security Devices12.1Copyright 2012, Juniper Networks, Inc.All rights reserved.

The informationin this document is currentas of thedateon thetitlepage.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networkssoftware. Useof such software is subject to theterms and conditions of theEnd User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html . By downloading, installing or using such software, you agree to theterms and conditionsof that EULA.

Copyright 2012, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html


3/58

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiDocumentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiSupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiUsing the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiMerging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiDocumentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiSelf-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Application Layer Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 ALG Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Custom ALG Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Understanding ALG Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3 VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 4 DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Understanding DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Part 2 Configuration

Chapter 5 VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Example: Configuring VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 6 DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Disabling DNS Doctoring (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Chapter 7 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

[edit security alg] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23alg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28alg-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32alg-support-lib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34ftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

iiiCopyright 2012, Juniper Networks, Inc.


4/58

maximum-message-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36sql . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37talk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38tftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39traceoptions (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Copyright 2012, Juniper Networks, Inc.iv

ALG Basics for SecurityDevices


5/58

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixTable 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: ALG Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

vCopyright 2012, Juniper Networks, Inc.


6/58

Copyright 2012, Juniper Networks, Inc.vi



7/58

About the Documentation

Documentation and Release Notes on page vii

Supported Platforms on page vii

Using the Examples in This Manual on page vii

Documentation Conventions on page ix

Documentation Feedback on page xi

Requesting Technical Support on page xi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks technical documentation,

see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/ .

If the information in the latest release notes differs from the information in thedocumentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list canbe viewed at http://www.juniper.net/books .

Supported Platforms

For the features described in this document, the following platforms are supported:

J Series

SRX Series

Using the Examples in This Manual

If you want touse the examples in this manual, you can use the load merge or the loadmerge relative command. These commands cause the software to merge the incomingconfiguration into the current candidate configuration. The example does not becomeactive until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiplehierarchies), the example is a full example . In this case, use the load merge command.

viiCopyright 2012, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/


8/58

If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet . In this case, use the load merge relative command. These procedures aredescribed in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into atext file, save the file with a name, and copy the file to a directory on your routingplatform.

Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf .Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {

commit {

file ex-script.xsl;}}

}interfaces {

fxp0 {disable;unit 0 {

family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing theload merge configuration mode command:

[edit]user@host# load merge /var/tmp/ex-script.confload complete

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copya configuration snippet into a textfile, savethe filewith a name, and copythe fileto a directory on your routing platform.

For example, copy the following snippet to a file and name the fileex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directoryon your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the followingconfiguration mode command:

Copyright 2012, Juniper Networks, Inc.viii



9/58

[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing theload merge relative configuration mode command:

[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see the Junos OS CLI User Guide .

Documentation Conventions

Table 1 on page ix defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you tothe risk of personal injury or death.Warning

Alerts you tothe risk of personal injury from a laser.Laser warning

Table 2 on page ix defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typethe configure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

ixCopyright 2012, Juniper Networks, Inc.

http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdf


10/58

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

A policy term is a named structurethat defines match conditions andactions.

JunosOS SystemBasics ConfigurationGuide

RFC 1997, BGP Communities Attribute

Introduces or emphasizes importantnew terms.

Identifies book names. Identifies RFC and Internet draft titles.

Italic text like this

Configure the machines domain name:

[edit]root@# set system domain-name

domain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

To configure a stub area, include thestub statement at the [edit protocolsospf areaarea-id] hierarchy level.

Theconsole portis labeled CONSOLE .

Represents names of configurationstatements, commands, files, anddirectories;configuration hierarchylevels;or labels on routing platformcomponents.

Text like this

stub ;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

( string1 | string2 | string3 )

Indicates a choicebetween the mutuallyexclusive keywordsor variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Requiredfor dynamic MPLS onlyIndicates a comment specified on thesameline asthe configuration statementto which it applies.

# (pound sign)

communityname members[community-ids ]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {

static {route default {

nexthop address ;retain;

}}

}

Identify a level in the configurationhierarchy.

Indention and braces( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

J-Web GUI Conventions In the Logical Interfaces box, select

All Interfaces .

To cancel the configuration, clickCancel .

Represents J-Web graphical userinterface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf .

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)

Copyright 2012, Juniper Networks, Inc.x



11/58

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected] , or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments:

Document or topic name

URL or page number

Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/ .

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,7 daysa week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you with thefollowing features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

xiCopyright 2012, Juniper Networks, Inc.

mailto:[email protected]://www.juniper.net/cgi-bin/docbugreport/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected]


12/58

Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlementby product serial number, use our Serial NumberEntitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting-support.html .

Copyright 2012, Juniper Networks, Inc.xii

http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/


13/58

PART 1

Overview Supported Features on page 3

ALG Basics on page 5

VoIP DSCP Rewrite Rules on page 11

DNS Doctoring on page 13

1Copyright 2012, Juniper Networks, Inc.


14/58

Copyright 2012, Juniper Networks, Inc.2



15/58

CHAPTER 1

Supported Features

Application Layer Gateways on page 3

Application Layer Gateways

An ApplicationLayer Gateway (ALG) is a software component thatis designedto managespecific protocols suchasSession InitiationProtocol (SIP)or File TransferProtocol (FTP)on SRX Series and J Series devices running Junos OS. The ALG intercepts and analyzesthe specified traffic, allocates resources, and defines dynamic policies to permit thetraffic to pass securely through the Juniper Networks device. Also, ALGs modify theembedded IP addresses as required.

Table 3 on page 3 lists the ALG features that are supported on SRX Series and J Seriesdevices.

Table 3: ALG Support

J Series

SRX1400

SRX3400SRX3600SRX5600SRX5800

SRX550SRX650

SRX100

SRX110SRX210SRX220SRX240Feature

YesYesYesYesDNS ALG

YesYesYesYesDNS doctoring support

NoYesYesSRX100, SRX210,SRX220, and SRX240only

DNS, FTP, RTSP, and TFTP ALGs(Layer 2) with chassis clustering

YesYesYesYesDSCP marking for SIP, H.323,MGCP, and SCCP ALGs

YesYesYesYesFTP

YesYesYesYesH.323

YesYesYesYesAvaya H.323

YesYesYesYesIKE



16/58


17/58

CHAPTER 2

ALG Basics

ALG Overview on page 5

Custom ALG Services on page 6

Understanding ALG Types on page 7

ALG Overview

An Application Layer Gateway (ALG) is a softwarecomponent that is designed to managespecific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networksdevices running Junos OS. The ALG module is responsible for Application-Layer awarepacket processing.

ALG functionality can be triggered either by a service or application configured in thesecurity policy:

A service is an object that identifies an application protocol using Layer 4 information(suchas standardand acceptedTCP andUDP portnumbers)for an application service

(such as Telnet, FTP, SMTP, and HTTP).

An application specifies the Layer 7 application that maps to a Layer 4 service.

A predefined service already has a mapping to a Layer7 application.However, for customservices, you must link the service to an application explicitly, especially if you want thepolicy to apply an ALG.

ALGs for packets destined to well-known ports are triggered by service type. The ALGintercepts and analyzes the specified traffic, allocates resources, and defines dynamicpolicies to permit the traffic to pass securely through the device:

1. When a packet arrives at the device, the flow module forwards the packet accordingto the security rule set in the policy.

2. If a policy is found to permit the packet, the associated service type or applicationtype is assigned and a session is created for this type of traffic.

3. If a session is found for the packet, no policy rule match is needed. The ALG moduleis triggered if that particular service or application type requires the supported ALGprocessing.



18/58

The ALG also inspects the packet for embedded IP address and port information in thepacket payload,and performs Network Address Translation(NAT) processing if necessary.The ALG also opens a gate for the IP address and port number to permit data exchangefor the session. The control session and data session can be coupled to have the sametimeout value, or they can be independent.

ALGs are supported on chassis clusters. For information about chassis clusters, seeChassis Cluster Overview.

RelatedDocumentation

Junos OS Feature Support Reference for SRX Series and J Series Devices


Understanding H.323 ALGs

Understanding SIP ALGs

Understanding SCCP ALGs

Understanding MGCP ALGs

Understanding RPC ALGs

Custom ALG Services

By default, ALGs are bound to predefined services. For example, the FTP ALG is boundto junos-ftp, the RTSP ALG is bound to junos-rtsp, and so on.

A predefined service already has a mapping to a Layer7 application.However, for customservices, you must link the service to an application explicitly, especially if you want thepolicy to apply an ALG.

When you apply predefined services to your policy, traffic matching the service will besentto itscorresponding ALG forfurtherprocessing. However,under somecircumstances,the customer needs to define custom services in order to achieve the following:

Utilize the ALG handler to process special traffic, with customer-specified protocols,destination ports and so on.

Permit traffic but bypass ALG processing, when traffic matches predefined servicesthat bind with ALG.

Add more applications to the current ALGs application set.

The following example requires you to navigate various levels in the configuration

hierarchy. For instructions on how to do that, see Using the CLI Editor in ConfigurationMode in the Junos OS CLI User Guide .

The three usages of custom services are illustrated below, considering MSRPC ALG asan example:

Utilize the ALG handler to process special traffic :

[edit]


http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdf


19/58

user@host# setapplications applicationcustomer-msrpc application-protocol ms-rpc

user@host# set applications application customer-msrpc protocol tcp

user@host# set applications application customer-msrpc destination-port 6000

Traffic with TCP destination port 6000 will be sent to MSRPC ALG for furtherprocessing.

Permit traffic but bypass ALG processing :

[edit]

user@host# set applications applicationcustomer-ignoreapplication-protocol ignore

user@host# set applications application customer-ignore protocol tcp

user@host# set applications application customer-ignore destination-port 135MSRPC ALG will be ignored by traffic with TCP destination port 135.

Add more applications to the current ALGs application set To add applicationssuch as MSRPC or SUNRPC services,which are not predefined on SRX Seriesdevices:

[edit]

user@host# set applications application customer-msrpc term t1 protocol tcp

user@host# set applications application customer-msrpc term t1 uuide3514235-4b06-11d1-ab04-00c04fc2dcd2

MSRPC data traffic with TCP, uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2, willbe permitted,when custom-msrpc is applied to the policy along withotherpredefinedjunos-ms-rpc** applications.



ALG Overview on page 5

Understanding Microsoft RPC Services

Understanding RPC ALGs

Understanding ALG Types

Junos OS supports voice-over-IP Application Layer Gateways (VoIP ALGs) and basicdata ALGs. (Note that supported ALG types vary depending on which hardware deviceyou are using.)

VoIPALGs providestatefulApplicationLayer inspectionand NetworkAddressTranslation(NAT) capabilities to VoIP signaling and media traffic. The ALG inspects the state oftransactions, or calls, and forwards or drops packets based on those states.


Chapter2: ALG Basics


20/58


21/58


22/58




23/58

CHAPTER 3

VoIP DSCP Rewrite Rules

Understanding VoIP DSCP Rewrite Rules on page 11

Understanding VoIP DSCP Rewrite Rules

This topic describes the voice over IP Application LayerGateway (VoIP ALG) mechanismformodifyingthe Differentiated ServicesCode Point (DSCP) fieldof Real-Time TransportProtocol (RTP) packets. The VoIP ALG mechanism is applicable for the RTP session,which is recognized by the ALG.

DSCP is a modification of the type of service byte for class of service (CoS). Six bits ofthis byte are reallocatedforuse asthe DSCP field, whereeach DSCP specifiesa particularper-hop behavior that is applied to a packet.

To avoid VoIP quality degradation caused by network congestion, the RTP packets arerequired to mark the DSCP bit to ensure they get higher routing priority. A downstreamrouter can put those packets in a higher priority queue for faster forwarding. To providethis functionality, there needs to be a per-VoIP mechanism for modifying the DSCP fieldof RTP packets according to the specific configuration. This will ensure that all RTPpackets based on User Datagram Protocol/Transport Control Protocol (UDP/TCP) thatencounter the ALG will be assigned a specific DSCP bit.

A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet therequirements of the targeted peer. Each rewrite rule reads the current CoS value that isconfigured at the VoIP ALG level. Every packet that hits the VoIP ALG is marked by thisCoS value.

This feature supports ALG DSCP marking for H323, Session Initiation Protocol (SIP),Media Gateway Control Protocol (MGCP), and Skinny Client Control Protocol (SCCP).It provides a 6-bit DSCP value configuration for each of these. When the first RTP packet

hits the ALG, this feature receives the 6-bit DSCP value form the configuration and setsit tothe RTP session that thepacket has created. This first RTP packet and the followingRTP packets passing through the RTP session are marked according to the 6-bit DSCPvalue in the session.


Example: Configuring VoIP DSCP Rewrite Rules on page 19



24/58




25/58

CHAPTER 4

DNS Doctoring

Understanding DNS Doctoring on page 13

Understanding DNS Doctoring

JUNOS Software for SRX Series devices provides Domain Name System (DNS) support.The DNS ALG monitors DNS query and reply packets and closes the session if the DNSflag indicates that the packet is a reply message. To configure the DNS ALG, use the editsecurity alg dns statement at the [edit security alg] hierarchy level.

Domain Name System (DNS) provides name to address mapping within a routing class(ex: IP). Whereas Network Address Translators (NATs) attempt to provide transparentrouting between hosts in disparate address realms of the same routing class. So, someproblems toDNS are brought in by NAT which needs to be handled by the DNS ALG.Thishandling of problems is called DNS doctoring.

To resolve the problems introduced by NAT, DNS ALG functionality has been extendedto support static NAT and then the problems are resolved through DNS doctoring.

NOTE: DNS ALG must be enabled on the devices in order to perform DNSdoctoring. With DNS ALG being enabledon SRX3400, SRX3600, SRX5600,and SRX5800 devices, DNS doctoring is enabled by default from JunosRelease 10.1.

The restoring/doctoring is performed in two parts:

Packet sanity check

NAT



26/58

You should configure static NAT for the DNS server first. Then if the DNS ALG is enabled,public-to-private andprivate-to-publicstatic address translationcanoccurfor A-recordsin DNS replies.

The DNS ALG also now includes a maximum-message-length command option with avalue range of 512 to8192 bytes and a default value of 512 bytes. The DNS ALG will notdrop traffic if the DNS message length exceeds the configured maximum, if the domainname is more than 255 bytes, orif the label length is more than 63 bytes. The ALG willalso decompress domain name compression pointers and retrieve their related fulldomain names, and check for the existence of compression pointer loops and drop thetraffic if a loop exists.

NOTE: DNS ALG can translate the first 32 A-records in a single DNS reply.A-records after the first 32 will not be handled. Also note that the DNS ALGsupports only IPv4 addresses and does not support VPN tunnels.


Junos OS CLI Reference

DNS Overview

IPv6 NAT Overview

IPv6 NAT PT Overview

IPv6 NAT-PT Communication Overview




27/58

Disabling DNS Doctoring (CLI Procedure) on page 21


Chapter 4: DNS Doctoring


28/58




29/58

PART 2

Configuration VoIP DSCP Rewrite Rules on page 19

DNS Doctoring on page 21

Configuration Statements on page 23



30/58




31/58

CHAPTER 5

VoIP DSCP Rewrite Rules

Example: Configuring VoIP DSCP Rewrite Rules on page 19

Example: Configuring VoIP DSCP Rewrite Rules

This example shows how to configure VoIP DSCP.

Requirements on page 19

Overview on page 19

Configuration on page 19

Verification on page 20

Requirements

This example uses an SRX210 device. The example assumes that the ALG has beenenabled.

OverviewThis example shows how to configure four ALG DSCP markings; SIP, H323, MGCP, andSCCP. You set the 6-bit DSCP value configuration for each ALG DSCP.

Configuration

Step-by-StepProcedure

To configure VoIP DSCP rewrite rules:

Set the DSCP for each VoIP ALG.1.

[edit]user@host# set security alg sip dscp-rewrite code-point 101010user@host# set security alg h323 dscp-rewrite code-point 010101user@host# set security alg mgcp dscp-rewrite code-point 111000user@host# set security alg sccp dscp-rewrite code-point 000111

2. If you are done configuring the device, commit the configuration.

[edit]user@host# commit



32/58

Verification

To verify that the configuration is working properly,enterthe showsecurityalg command.



Understanding VoIP DSCP Rewrite Rules on page 11




33/58

CHAPTER 6

DNS Doctoring

Disabling DNS Doctoring (CLI Procedure) on page 21

Disabling DNS Doctoring (CLI Procedure)

DNS doctoring feature is enabled by default. You can disable the DNS doctoring featurewith the CLI.

To disable DNS doctoring:

1. To disable all the doctoring features.

Specify the none configuration option. This command disables all the doctoringfeatures.

user@host# set security alg dns doctoring none

2. To disable NAT feature and retain the sanity-check feature.

Specify the sanity-check configuration option. This option will disable NAT featureand retain the sanity-check feature.

user@host# set security alg dns doctoring sanity-check

3. If you are finished configuring the device, commit the configuration.

4. From configuration mode in theCLI,enter the show securityalgdns doctoring commandto verify the configuration.



Junos OS CLI Reference

DNS Overview

IPv6 NAT Overview

IPv6 NAT PT Overview



34/58




35/58

CHAPTER 7

Configuration Statements

[edit security alg] Hierarchy Level on page 23

[edit security alg] Hierarchy Level

security {alg {

alg-manager {traceoptions {

flag {all ;

}}

}alg-support-lib {

traceoptions {flag {

all ;}

}}dns {

disable;doctoring (none | sanity-check);maximum-message-length number ;traceoptions {

flag {all ;

}}

}ftp {

allow-mismatch-ip-address;disable;ftps-extension;line-break-extension;traceoptions {

flag {all ;

}}

}



36/58

h323 {application-screen {

message-flood {gatekeeper {

threshold rate ;}}unknown-message {

permit-nat-applied;permit-routed;

}}disable;dscp-rewrite {

code-point string ;}endpoint-registration-timeout value-in-seconds ;media-source-port-any;

traceoptions {flag flag ;

}}ike-esp-nat {

enable;esp-gate-timeout value-in-seconds ;esp-session-timeout value-in-seconds ;state-timeout value-in-seconds ;traceoptions {

flag {all ;

}}

}mgcp {

application-screen {connection-flood {

threshold rate ;}message-flood {

threshold rate ;}unknown-message {


}}

disable;dscp-rewrite {

code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;traceoptions {

flag flag ;}transaction-timeout value-in-seconds ;




37/58


38/58

traceoptions {flag flag ;

}}

sip {application-screen {protect {

deny {all {

timeout value-in-seconds ;}destination-ip address ;timeout value-in-seconds ;

}}unknown-message {


}}c-timeout value-in-minutes ;disable;dscp-rewrite {

code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;retain-hold-resource;t1-interval value-in-milliseconds ;t4-interval value-in-seconds ;traceoptions {

flag flag ;

}}sql {

disable;traceoptions {

flag {all ;

}}

}sunrpc {


flag {

all ;}

}}talk {


flag {all ;

}




39/58

}}tftp {

disable;

traceoptions {flag {all ;

}}

}traceoptions {

file {filename ;files number ;match regular-expression ;(no-world-readable | world-readable);size maximum-file-size ;

}

level (brief | detail | extensive | verbose);no-remote-trace;

}}

}




Chapter7: Configuration Statements


40/58


41/58

endpoint-registration-timeout value-in-seconds ;media-source-port-any;traceoptions {

flag flag ;

}}ike-esp-nat {

enable;esp-gate-timeout value-in-seconds ;esp-session-timeout value-in-seconds ;state-timeout value-in-seconds ;traceoptions {

flag {all ;

}}

}mgcp {

application-screen {connection-flood {

threshold rate ;}message-flood {



}}disable;dscp-rewrite {

code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;traceoptions {

flag flag ;}transaction-timeout value-in-seconds ;

}msrpc {


flag {all ;

}}

}pptp {


flag {all ;

}}




42/58

}real {


flag {all ;}

}}rsh {


flag {all ;

}}

}rtsp {


flag {all ;

}}

}sccp {

application-screen {call-flood {


permit-nat-applied;

permit-routed;}

}disable;dscp-rewrite {

code-point string ;}inactive-media-timeout value-in-seconds ;traceoptions {

flag flag ;}

}sip {

application-screen {

protect {deny {

all {timeout value-in-seconds ;

}destination-ip address ;timeout value-in-seconds ;

}}unknown-message {




43/58


}}

c-timeout value-in-minutes ;disable;dscp-rewrite {

code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;retain-hold-resource;t1-interval value-in-milliseconds ;t4-interval value-in-seconds ;traceoptions {

flag flag ;}

}

sql {disable;traceoptions {

flag {all ;

}}

}sunrpc {


flag {all ;

}

}}talk {


flag {all ;

}}

}tftp {


flag {

all ;}

}}traceoptions {

file {filename ;files number ;match regular-expression ;(no-world-readable | world-readable);




44/58

size maximum-file-size ;}level (brief | detail | extensive | verbose);no-remote-trace;

}}

Hierarchy Level [edit security]

Release Information Statement introduced in Release 8.5 of Junos OS.

Description Configure an Application Layer Gateway (ALG) on the device. An ALG runs as a serviceand can be associated in policies with specified types of traffic. ALGs are enabled bydefault.

Options The remaining statements are explained separately.

Required PrivilegeLevel

securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.


Junos OS Security Configuration Guide

alg-manager

Syntax alg-manager {traceoptions {

flag {all ;

}

}}

Hierarchy Level [edit security alg]

Description Configures Application Layer Gateway (ALG) manager.









45/58

alg-support-lib

Syntax alg-support-lib {

traceoptions {flag {

all ;}

}}

Hierarchy Level [edit security alg-support-lib]


Description Configures the Application Layer Gateway (ALG) support library.









46/58

dns

Syntax dns {

disable;doctoring (none | sanity-check);maximum-message-length number ;traceoptions {

flag {all ;

}}

}



Description Specify the Domain NameService(DNS)ApplicationLayer Gateway (ALG) on the device.

Options disable Disable the DNS ALG. By default, the DNS ALG is enabled. This option willenable or disable DNS ALG for both IPV4 and IPV6 mode.

doctoring Configure DNS ALG doctoring.

none Disable all DNS ALG Doctoring.

sanity-check Perform only DNS ALG sanity checks.

maximum-message-length A limit imposed on the size of individual DNS messages(see related section).

traceoptions Configure SQL ALG tracing options. flag Trace operation to perform.

all Trace all events.

extensive Display extensive amount of data.








47/58

ftp (Security ALG)

Syntax ftp {

allow-mismatch-ip-address;disable;ftps-extension;line-break-extension;traceoptions {

flag {all ;

}}

}


Release Information Statement modified in Release 11.4 of Junos OS.

Description Specify the FTP ALG on the device.

Options disable Disable the FTP ALG. By default, the FTP ALG is enabled. This option willenable or disable FTP ALG for both IPV4 and IPV6 mode.

ftps-extension Enable secure FTP and FTP SSL protocols.

line-break-extension Enable line-break-extension. This option will enable the FTPALG torecognize theLF asline breakin addition tothe standardCR+LF(carriage return,followed by line feed).

traceoptions Configure FTP ALG tracing options. To specify more than one trace

operation, include multiple flag statements. flag Trace operation to perform.


extensive (Optional) Display extensive amount of data.








48/58

maximum-message-length

Syntax maximum-message-length number ;

Hierarchy Level [edit security alg dns]


Description Specify the maximum DNS message length.

Options number Maximum length in bytes of a single DNS message.

Range: 512 through 8192 bytes.

Default: 512 bytes.

Required Privilege

Level

securityTo view this statement in the configuration.

security-controlTo add this statement to the configuration.






49/58

sql

Syntax sql {


flag {all ;

}}

}



Description Specify the Oracle SQL ALG on the device.

Options disable Disable the SQL ALG. By default, the SQL ALG is enabled.

traceoptions Configure SQL ALG tracing options.

flag Trace operation to perform.










50/58

talk

Syntax talk {


flag {all ;

}}

}



Description Specify the TALK program ALG on the device.

Options disable Disable the TALK program ALG. By default, the TALK program ALG is enabled.

traceoptions Configure TALK program ALG tracing options.

flag Trace operation to perform.










51/58


52/58


53/58

If you specify a maximumfilesize,you also must specify a maximumnumber of tracefiles with the files option and a filename.

Syntax: x K to specify KB, x m to specify MB, or x g to specify GB

Range: 10 KB through 1 GB

Default: 128 KB

level Set the level of debugging the output option.

brief Match brief messages

detail Match detail messages.

extensive Match extensive messages.

verbose Match verbose messages.

no-remote-trace Set remote tracing as disabled.


traceTo view this statement in the configuration.trace-controlTo add this statement to the configuration.




54/58


55/58


56/58




57/58

Index

Symbols#, comments in configuration statements...................... x( ), in syntax descriptions........................................................ x< >, in syntax descriptions...................................................... x[ ], in configuration statements............................................ x{ }, in configuration statements........................................... x| (pipe), in syntax descriptions............................................. x

AALG See Application Layer Gatewayalg statement........................................................................... 28alg-manager............................................................................. 32alg-support-lib......................................................................... 33Application Layer Gateway.................................................... 3

support table...................................................................... 3

Bbraces, in configuration statements................................... xbrackets

angle, in syntax descriptions......................................... x

square, in configuration statements.......................... x

Ccomments, in configuration statements.......................... xconventions

text and syntax.................................................................. ixcurly braces, in configuration statements........................ xcustomer support..................................................................... xi

contacting JTAC................................................................ xi

DDNS

doctoringdisable........................................................................ 21

DNS Doctoring.......................................................................... 13dns statement.......................................................................... 34documentation

comments on.................................................................... xi

Ffont conventions....................................................................... ix

ftp statement........................................................................... 35

Mmanuals

comments on.................................................................... ximaximum-message-length statement......................... 36

Pparentheses, in syntax descriptions................................... x

Ssql statement............................................................................ 37support, technical See technical supportsyntax conventions.................................................................. ix

T

talk statement......................................................................... 38technical support

contacting JTAC................................................................ xitftp statement......................................................................... 39traceoptions statement

(ALG).................................................................................. 40

VVoIP DSCP rewrite rules configuring................................ 19



58/58


security alg basic

Documents