Security Alg Basic
-
Upload
mudassar-iqbal -
Category
Documents
-
view
223 -
download
0
Transcript of Security Alg Basic
-
8/10/2019 Security Alg Basic
1/58
Junos OS
ALG Basics for Security Devices
Release
12.1
Published: 2012-08-30
Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
2/58
Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright 1986-1997,Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no partof them is in thepublic domain.
This product includes memory allocation software developed by Mark Moraes,copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright 1991, D.L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All othertrademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518,6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos OS ALG Basics for Security Devices12.1Copyright 2012, Juniper Networks, Inc.All rights reserved.
The informationin this document is currentas of thedateon thetitlepage.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networkssoftware. Useof such software is subject to theterms and conditions of theEnd User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html . By downloading, installing or using such software, you agree to theterms and conditionsof that EULA.
Copyright 2012, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html -
8/10/2019 Security Alg Basic
3/58
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiDocumentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiSupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiUsing the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiMerging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiDocumentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiSelf-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Part 1 Overview
Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Application Layer Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 ALG Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Custom ALG Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Understanding ALG Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 3 VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 4 DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Part 2 Configuration
Chapter 5 VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Example: Configuring VoIP DSCP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 6 DNS Doctoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Disabling DNS Doctoring (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Chapter 7 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
[edit security alg] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23alg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28alg-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32alg-support-lib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34ftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
iiiCopyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
4/58
maximum-message-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36sql . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37talk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38tftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39traceoptions (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Part 3 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Copyright 2012, Juniper Networks, Inc.iv
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
5/58
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixTable 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Part 1 Overview
Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: ALG Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
vCopyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
6/58
Copyright 2012, Juniper Networks, Inc.vi
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
7/58
About the Documentation
Documentation and Release Notes on page vii
Supported Platforms on page vii
Using the Examples in This Manual on page vii
Documentation Conventions on page ix
Documentation Feedback on page xi
Requesting Technical Support on page xi
Documentation and Release Notes
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/ .
If the information in the latest release notes differs from the information in thedocumentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list canbe viewed at http://www.juniper.net/books .
Supported Platforms
For the features described in this document, the following platforms are supported:
J Series
SRX Series
Using the Examples in This Manual
If you want touse the examples in this manual, you can use the load merge or the loadmerge relative command. These commands cause the software to merge the incomingconfiguration into the current candidate configuration. The example does not becomeactive until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiplehierarchies), the example is a full example . In this case, use the load merge command.
viiCopyright 2012, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/ -
8/10/2019 Security Alg Basic
8/58
If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet . In this case, use the load merge relative command. These procedures aredescribed in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into atext file, save the file with a name, and copy the file to a directory on your routingplatform.
Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf .Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {scripts {
commit {
file ex-script.xsl;}}
}interfaces {
fxp0 {disable;unit 0 {
family inet {address 10.0.0.1/24;
}}
}}
2. Merge the contents of the file into your routing platform configuration by issuing theload merge configuration mode command:
[edit]user@host# load merge /var/tmp/ex-script.confload complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copya configuration snippet into a textfile, savethe filewith a name, and copythe fileto a directory on your routing platform.
For example, copy the following snippet to a file and name the fileex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directoryon your routing platform.
commit {file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the followingconfiguration mode command:
Copyright 2012, Juniper Networks, Inc.viii
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
9/58
[edit]user@host# edit system scripts[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing theload merge relative configuration mode command:
[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete
For more information about the load command, see the Junos OS CLI User Guide .
Documentation Conventions
Table 1 on page ix defines notice icons used in this guide.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you tothe risk of personal injury or death.Warning
Alerts you tothe risk of personal injury from a laser.Laser warning
Table 2 on page ix defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, typethe configure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
ixCopyright 2012, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdf -
8/10/2019 Security Alg Basic
10/58
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
A policy term is a named structurethat defines match conditions andactions.
JunosOS SystemBasics ConfigurationGuide
RFC 1997, BGP Communities Attribute
Introduces or emphasizes importantnew terms.
Identifies book names. Identifies RFC and Internet draft titles.
Italic text like this
Configure the machines domain name:
[edit]root@# set system domain-name
domain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
To configure a stub area, include thestub statement at the [edit protocolsospf areaarea-id] hierarchy level.
Theconsole portis labeled CONSOLE .
Represents names of configurationstatements, commands, files, anddirectories;configuration hierarchylevels;or labels on routing platformcomponents.
Text like this
stub ;Enclose optional keywords or variables.< > (angle brackets)
broadcast | multicast
( string1 | string2 | string3 )
Indicates a choicebetween the mutuallyexclusive keywordsor variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Requiredfor dynamic MPLS onlyIndicates a comment specified on thesameline asthe configuration statementto which it applies.
# (pound sign)
communityname members[community-ids ]
Enclose a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {
static {route default {
nexthop address ;retain;
}}
}
Identify a level in the configurationhierarchy.
Indention and braces( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
J-Web GUI Conventions In the Logical Interfaces box, select
All Interfaces .
To cancel the configuration, clickCancel .
Represents J-Web graphical userinterface (GUI) items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf .
Separates levels in a hierarchy of J-Webselections.
> (bold right angle bracket)
Copyright 2012, Juniper Networks, Inc.x
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
11/58
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected] , or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments:
Document or topic name
URL or page number
Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the Juniper Networks TechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/ .
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,7 daysa week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you with thefollowing features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/
xiCopyright 2012, Juniper Networks, Inc.
About the Documentation
mailto:[email protected]://www.juniper.net/cgi-bin/docbugreport/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected] -
8/10/2019 Security Alg Basic
12/58
Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlementby product serial number, use our Serial NumberEntitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting-support.html .
Copyright 2012, Juniper Networks, Inc.xii
ALG Basics for SecurityDevices
http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/ -
8/10/2019 Security Alg Basic
13/58
PART 1
Overview Supported Features on page 3
ALG Basics on page 5
VoIP DSCP Rewrite Rules on page 11
DNS Doctoring on page 13
1Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
14/58
Copyright 2012, Juniper Networks, Inc.2
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
15/58
CHAPTER 1
Supported Features
Application Layer Gateways on page 3
Application Layer Gateways
An ApplicationLayer Gateway (ALG) is a software component thatis designedto managespecific protocols suchasSession InitiationProtocol (SIP)or File TransferProtocol (FTP)on SRX Series and J Series devices running Junos OS. The ALG intercepts and analyzesthe specified traffic, allocates resources, and defines dynamic policies to permit thetraffic to pass securely through the Juniper Networks device. Also, ALGs modify theembedded IP addresses as required.
Table 3 on page 3 lists the ALG features that are supported on SRX Series and J Seriesdevices.
Table 3: ALG Support
J Series
SRX1400
SRX3400SRX3600SRX5600SRX5800
SRX550SRX650
SRX100
SRX110SRX210SRX220SRX240Feature
YesYesYesYesDNS ALG
YesYesYesYesDNS doctoring support
NoYesYesSRX100, SRX210,SRX220, and SRX240only
DNS, FTP, RTSP, and TFTP ALGs(Layer 2) with chassis clustering
YesYesYesYesDSCP marking for SIP, H.323,MGCP, and SCCP ALGs
YesYesYesYesFTP
YesYesYesYesH.323
YesYesYesYesAvaya H.323
YesYesYesYesIKE
3Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
16/58
-
8/10/2019 Security Alg Basic
17/58
CHAPTER 2
ALG Basics
ALG Overview on page 5
Custom ALG Services on page 6
Understanding ALG Types on page 7
ALG Overview
An Application Layer Gateway (ALG) is a softwarecomponent that is designed to managespecific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networksdevices running Junos OS. The ALG module is responsible for Application-Layer awarepacket processing.
ALG functionality can be triggered either by a service or application configured in thesecurity policy:
A service is an object that identifies an application protocol using Layer 4 information(suchas standardand acceptedTCP andUDP portnumbers)for an application service
(such as Telnet, FTP, SMTP, and HTTP).
An application specifies the Layer 7 application that maps to a Layer 4 service.
A predefined service already has a mapping to a Layer7 application.However, for customservices, you must link the service to an application explicitly, especially if you want thepolicy to apply an ALG.
ALGs for packets destined to well-known ports are triggered by service type. The ALGintercepts and analyzes the specified traffic, allocates resources, and defines dynamicpolicies to permit the traffic to pass securely through the device:
1. When a packet arrives at the device, the flow module forwards the packet accordingto the security rule set in the policy.
2. If a policy is found to permit the packet, the associated service type or applicationtype is assigned and a session is created for this type of traffic.
3. If a session is found for the packet, no policy rule match is needed. The ALG moduleis triggered if that particular service or application type requires the supported ALGprocessing.
5Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
18/58
The ALG also inspects the packet for embedded IP address and port information in thepacket payload,and performs Network Address Translation(NAT) processing if necessary.The ALG also opens a gate for the IP address and port number to permit data exchangefor the session. The control session and data session can be coupled to have the sametimeout value, or they can be independent.
ALGs are supported on chassis clusters. For information about chassis clusters, seeChassis Cluster Overview.
RelatedDocumentation
Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding ALG Types on page 7
Understanding H.323 ALGs
Understanding SIP ALGs
Understanding SCCP ALGs
Understanding MGCP ALGs
Understanding RPC ALGs
Custom ALG Services
By default, ALGs are bound to predefined services. For example, the FTP ALG is boundto junos-ftp, the RTSP ALG is bound to junos-rtsp, and so on.
A predefined service already has a mapping to a Layer7 application.However, for customservices, you must link the service to an application explicitly, especially if you want thepolicy to apply an ALG.
When you apply predefined services to your policy, traffic matching the service will besentto itscorresponding ALG forfurtherprocessing. However,under somecircumstances,the customer needs to define custom services in order to achieve the following:
Utilize the ALG handler to process special traffic, with customer-specified protocols,destination ports and so on.
Permit traffic but bypass ALG processing, when traffic matches predefined servicesthat bind with ALG.
Add more applications to the current ALGs application set.
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in ConfigurationMode in the Junos OS CLI User Guide .
The three usages of custom services are illustrated below, considering MSRPC ALG asan example:
Utilize the ALG handler to process special traffic :
[edit]
Copyright 2012, Juniper Networks, Inc.6
ALG Basics for SecurityDevices
http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdf -
8/10/2019 Security Alg Basic
19/58
user@host# setapplications applicationcustomer-msrpc application-protocol ms-rpc
user@host# set applications application customer-msrpc protocol tcp
user@host# set applications application customer-msrpc destination-port 6000
Traffic with TCP destination port 6000 will be sent to MSRPC ALG for furtherprocessing.
Permit traffic but bypass ALG processing :
[edit]
user@host# set applications applicationcustomer-ignoreapplication-protocol ignore
user@host# set applications application customer-ignore protocol tcp
user@host# set applications application customer-ignore destination-port 135MSRPC ALG will be ignored by traffic with TCP destination port 135.
Add more applications to the current ALGs application set To add applicationssuch as MSRPC or SUNRPC services,which are not predefined on SRX Seriesdevices:
[edit]
user@host# set applications application customer-msrpc term t1 protocol tcp
user@host# set applications application customer-msrpc term t1 uuide3514235-4b06-11d1-ab04-00c04fc2dcd2
MSRPC data traffic with TCP, uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2, willbe permitted,when custom-msrpc is applied to the policy along withotherpredefinedjunos-ms-rpc** applications.
RelatedDocumentation
Understanding ALG Types on page 7
ALG Overview on page 5
Understanding Microsoft RPC Services
Understanding RPC ALGs
Understanding ALG Types
Junos OS supports voice-over-IP Application Layer Gateways (VoIP ALGs) and basicdata ALGs. (Note that supported ALG types vary depending on which hardware deviceyou are using.)
VoIPALGs providestatefulApplicationLayer inspectionand NetworkAddressTranslation(NAT) capabilities to VoIP signaling and media traffic. The ALG inspects the state oftransactions, or calls, and forwards or drops packets based on those states.
7Copyright 2012, Juniper Networks, Inc.
Chapter2: ALG Basics
-
8/10/2019 Security Alg Basic
20/58
-
8/10/2019 Security Alg Basic
21/58
-
8/10/2019 Security Alg Basic
22/58
Copyright 2012, Juniper Networks, Inc.10
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
23/58
CHAPTER 3
VoIP DSCP Rewrite Rules
Understanding VoIP DSCP Rewrite Rules on page 11
Understanding VoIP DSCP Rewrite Rules
This topic describes the voice over IP Application LayerGateway (VoIP ALG) mechanismformodifyingthe Differentiated ServicesCode Point (DSCP) fieldof Real-Time TransportProtocol (RTP) packets. The VoIP ALG mechanism is applicable for the RTP session,which is recognized by the ALG.
DSCP is a modification of the type of service byte for class of service (CoS). Six bits ofthis byte are reallocatedforuse asthe DSCP field, whereeach DSCP specifiesa particularper-hop behavior that is applied to a packet.
To avoid VoIP quality degradation caused by network congestion, the RTP packets arerequired to mark the DSCP bit to ensure they get higher routing priority. A downstreamrouter can put those packets in a higher priority queue for faster forwarding. To providethis functionality, there needs to be a per-VoIP mechanism for modifying the DSCP fieldof RTP packets according to the specific configuration. This will ensure that all RTPpackets based on User Datagram Protocol/Transport Control Protocol (UDP/TCP) thatencounter the ALG will be assigned a specific DSCP bit.
A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet therequirements of the targeted peer. Each rewrite rule reads the current CoS value that isconfigured at the VoIP ALG level. Every packet that hits the VoIP ALG is marked by thisCoS value.
This feature supports ALG DSCP marking for H323, Session Initiation Protocol (SIP),Media Gateway Control Protocol (MGCP), and Skinny Client Control Protocol (SCCP).It provides a 6-bit DSCP value configuration for each of these. When the first RTP packet
hits the ALG, this feature receives the 6-bit DSCP value form the configuration and setsit tothe RTP session that thepacket has created. This first RTP packet and the followingRTP packets passing through the RTP session are marked according to the 6-bit DSCPvalue in the session.
RelatedDocumentation
Example: Configuring VoIP DSCP Rewrite Rules on page 19
11Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
24/58
Copyright 2012, Juniper Networks, Inc.12
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
25/58
CHAPTER 4
DNS Doctoring
Understanding DNS Doctoring on page 13
Understanding DNS Doctoring
JUNOS Software for SRX Series devices provides Domain Name System (DNS) support.The DNS ALG monitors DNS query and reply packets and closes the session if the DNSflag indicates that the packet is a reply message. To configure the DNS ALG, use the editsecurity alg dns statement at the [edit security alg] hierarchy level.
Domain Name System (DNS) provides name to address mapping within a routing class(ex: IP). Whereas Network Address Translators (NATs) attempt to provide transparentrouting between hosts in disparate address realms of the same routing class. So, someproblems toDNS are brought in by NAT which needs to be handled by the DNS ALG.Thishandling of problems is called DNS doctoring.
To resolve the problems introduced by NAT, DNS ALG functionality has been extendedto support static NAT and then the problems are resolved through DNS doctoring.
NOTE: DNS ALG must be enabled on the devices in order to perform DNSdoctoring. With DNS ALG being enabledon SRX3400, SRX3600, SRX5600,and SRX5800 devices, DNS doctoring is enabled by default from JunosRelease 10.1.
The restoring/doctoring is performed in two parts:
Packet sanity check
NAT
13Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
26/58
You should configure static NAT for the DNS server first. Then if the DNS ALG is enabled,public-to-private andprivate-to-publicstatic address translationcanoccurfor A-recordsin DNS replies.
The DNS ALG also now includes a maximum-message-length command option with avalue range of 512 to8192 bytes and a default value of 512 bytes. The DNS ALG will notdrop traffic if the DNS message length exceeds the configured maximum, if the domainname is more than 255 bytes, orif the label length is more than 63 bytes. The ALG willalso decompress domain name compression pointers and retrieve their related fulldomain names, and check for the existence of compression pointer loops and drop thetraffic if a loop exists.
NOTE: DNS ALG can translate the first 32 A-records in a single DNS reply.A-records after the first 32 will not be handled. Also note that the DNS ALGsupports only IPv4 addresses and does not support VPN tunnels.
RelatedDocumentation
Junos OS CLI Reference
DNS Overview
IPv6 NAT Overview
IPv6 NAT PT Overview
IPv6 NAT-PT Communication Overview
Copyright 2012, Juniper Networks, Inc.14
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
27/58
Disabling DNS Doctoring (CLI Procedure) on page 21
15Copyright 2012, Juniper Networks, Inc.
Chapter 4: DNS Doctoring
-
8/10/2019 Security Alg Basic
28/58
Copyright 2012, Juniper Networks, Inc.16
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
29/58
PART 2
Configuration VoIP DSCP Rewrite Rules on page 19
DNS Doctoring on page 21
Configuration Statements on page 23
17Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
30/58
Copyright 2012, Juniper Networks, Inc.18
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
31/58
CHAPTER 5
VoIP DSCP Rewrite Rules
Example: Configuring VoIP DSCP Rewrite Rules on page 19
Example: Configuring VoIP DSCP Rewrite Rules
This example shows how to configure VoIP DSCP.
Requirements on page 19
Overview on page 19
Configuration on page 19
Verification on page 20
Requirements
This example uses an SRX210 device. The example assumes that the ALG has beenenabled.
OverviewThis example shows how to configure four ALG DSCP markings; SIP, H323, MGCP, andSCCP. You set the 6-bit DSCP value configuration for each ALG DSCP.
Configuration
Step-by-StepProcedure
To configure VoIP DSCP rewrite rules:
Set the DSCP for each VoIP ALG.1.
[edit]user@host# set security alg sip dscp-rewrite code-point 101010user@host# set security alg h323 dscp-rewrite code-point 010101user@host# set security alg mgcp dscp-rewrite code-point 111000user@host# set security alg sccp dscp-rewrite code-point 000111
2. If you are done configuring the device, commit the configuration.
[edit]user@host# commit
19Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
32/58
Verification
To verify that the configuration is working properly,enterthe showsecurityalg command.
RelatedDocumentation
Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding VoIP DSCP Rewrite Rules on page 11
Copyright 2012, Juniper Networks, Inc.20
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
33/58
CHAPTER 6
DNS Doctoring
Disabling DNS Doctoring (CLI Procedure) on page 21
Disabling DNS Doctoring (CLI Procedure)
DNS doctoring feature is enabled by default. You can disable the DNS doctoring featurewith the CLI.
To disable DNS doctoring:
1. To disable all the doctoring features.
Specify the none configuration option. This command disables all the doctoringfeatures.
user@host# set security alg dns doctoring none
2. To disable NAT feature and retain the sanity-check feature.
Specify the sanity-check configuration option. This option will disable NAT featureand retain the sanity-check feature.
user@host# set security alg dns doctoring sanity-check
3. If you are finished configuring the device, commit the configuration.
4. From configuration mode in theCLI,enter the show securityalgdns doctoring commandto verify the configuration.
RelatedDocumentation
Junos OS Feature Support Reference for SRX Series and J Series Devices
Junos OS CLI Reference
DNS Overview
IPv6 NAT Overview
IPv6 NAT PT Overview
21Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
34/58
Copyright 2012, Juniper Networks, Inc.22
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
35/58
CHAPTER 7
Configuration Statements
[edit security alg] Hierarchy Level on page 23
[edit security alg] Hierarchy Level
security {alg {
alg-manager {traceoptions {
flag {all ;
}}
}alg-support-lib {
traceoptions {flag {
all ;}
}}dns {
disable;doctoring (none | sanity-check);maximum-message-length number ;traceoptions {
flag {all ;
}}
}ftp {
allow-mismatch-ip-address;disable;ftps-extension;line-break-extension;traceoptions {
flag {all ;
}}
}
23Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
36/58
h323 {application-screen {
message-flood {gatekeeper {
threshold rate ;}}unknown-message {
permit-nat-applied;permit-routed;
}}disable;dscp-rewrite {
code-point string ;}endpoint-registration-timeout value-in-seconds ;media-source-port-any;
traceoptions {flag flag ;
}}ike-esp-nat {
enable;esp-gate-timeout value-in-seconds ;esp-session-timeout value-in-seconds ;state-timeout value-in-seconds ;traceoptions {
flag {all ;
}}
}mgcp {
application-screen {connection-flood {
threshold rate ;}message-flood {
threshold rate ;}unknown-message {
permit-nat-applied;permit-routed;
}}
disable;dscp-rewrite {
code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;traceoptions {
flag flag ;}transaction-timeout value-in-seconds ;
Copyright 2012, Juniper Networks, Inc.24
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
37/58
-
8/10/2019 Security Alg Basic
38/58
traceoptions {flag flag ;
}}
sip {application-screen {protect {
deny {all {
timeout value-in-seconds ;}destination-ip address ;timeout value-in-seconds ;
}}unknown-message {
permit-nat-applied;permit-routed;
}}c-timeout value-in-minutes ;disable;dscp-rewrite {
code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;retain-hold-resource;t1-interval value-in-milliseconds ;t4-interval value-in-seconds ;traceoptions {
flag flag ;
}}sql {
disable;traceoptions {
flag {all ;
}}
}sunrpc {
disable;traceoptions {
flag {
all ;}
}}talk {
disable;traceoptions {
flag {all ;
}
Copyright 2012, Juniper Networks, Inc.26
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
39/58
}}tftp {
disable;
traceoptions {flag {all ;
}}
}traceoptions {
file {filename ;files number ;match regular-expression ;(no-world-readable | world-readable);size maximum-file-size ;
}
level (brief | detail | extensive | verbose);no-remote-trace;
}}
}
RelatedDocumentation
Junos OS Feature Support Reference for SRX Series and J Series Devices
27Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
40/58
-
8/10/2019 Security Alg Basic
41/58
endpoint-registration-timeout value-in-seconds ;media-source-port-any;traceoptions {
flag flag ;
}}ike-esp-nat {
enable;esp-gate-timeout value-in-seconds ;esp-session-timeout value-in-seconds ;state-timeout value-in-seconds ;traceoptions {
flag {all ;
}}
}mgcp {
application-screen {connection-flood {
threshold rate ;}message-flood {
threshold rate ;}unknown-message {
permit-nat-applied;permit-routed;
}}disable;dscp-rewrite {
code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;traceoptions {
flag flag ;}transaction-timeout value-in-seconds ;
}msrpc {
disable;traceoptions {
flag {all ;
}}
}pptp {
disable;traceoptions {
flag {all ;
}}
29Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
42/58
}real {
disable;traceoptions {
flag {all ;}
}}rsh {
disable;traceoptions {
flag {all ;
}}
}rtsp {
disable;traceoptions {
flag {all ;
}}
}sccp {
application-screen {call-flood {
threshold rate ;}unknown-message {
permit-nat-applied;
permit-routed;}
}disable;dscp-rewrite {
code-point string ;}inactive-media-timeout value-in-seconds ;traceoptions {
flag flag ;}
}sip {
application-screen {
protect {deny {
all {timeout value-in-seconds ;
}destination-ip address ;timeout value-in-seconds ;
}}unknown-message {
Copyright 2012, Juniper Networks, Inc.30
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
43/58
permit-nat-applied;permit-routed;
}}
c-timeout value-in-minutes ;disable;dscp-rewrite {
code-point string ;}inactive-media-timeout value-in-seconds ;maximum-call-duration value-in-minutes ;retain-hold-resource;t1-interval value-in-milliseconds ;t4-interval value-in-seconds ;traceoptions {
flag flag ;}
}
sql {disable;traceoptions {
flag {all ;
}}
}sunrpc {
disable;traceoptions {
flag {all ;
}
}}talk {
disable;traceoptions {
flag {all ;
}}
}tftp {
disable;traceoptions {
flag {
all ;}
}}traceoptions {
file {filename ;files number ;match regular-expression ;(no-world-readable | world-readable);
31Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
44/58
size maximum-file-size ;}level (brief | detail | extensive | verbose);no-remote-trace;
}}
Hierarchy Level [edit security]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Configure an Application Layer Gateway (ALG) on the device. An ALG runs as a serviceand can be associated in policies with specified types of traffic. ALGs are enabled bydefault.
Options The remaining statements are explained separately.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
alg-manager
Syntax alg-manager {traceoptions {
flag {all ;
}
}}
Hierarchy Level [edit security alg]
Description Configures Application Layer Gateway (ALG) manager.
Options The remaining statements are explained separately.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
Copyright 2012, Juniper Networks, Inc.32
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
45/58
alg-support-lib
Syntax alg-support-lib {
traceoptions {flag {
all ;}
}}
Hierarchy Level [edit security alg-support-lib]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Configures the Application Layer Gateway (ALG) support library.
Options The remaining statements are explained separately.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
33Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
46/58
dns
Syntax dns {
disable;doctoring (none | sanity-check);maximum-message-length number ;traceoptions {
flag {all ;
}}
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Specify the Domain NameService(DNS)ApplicationLayer Gateway (ALG) on the device.
Options disable Disable the DNS ALG. By default, the DNS ALG is enabled. This option willenable or disable DNS ALG for both IPV4 and IPV6 mode.
doctoring Configure DNS ALG doctoring.
none Disable all DNS ALG Doctoring.
sanity-check Perform only DNS ALG sanity checks.
maximum-message-length A limit imposed on the size of individual DNS messages(see related section).
traceoptions Configure SQL ALG tracing options. flag Trace operation to perform.
all Trace all events.
extensive Display extensive amount of data.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
Copyright 2012, Juniper Networks, Inc.34
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
47/58
ftp (Security ALG)
Syntax ftp {
allow-mismatch-ip-address;disable;ftps-extension;line-break-extension;traceoptions {
flag {all ;
}}
}
Hierarchy Level [edit security alg]
Release Information Statement modified in Release 11.4 of Junos OS.
Description Specify the FTP ALG on the device.
Options disable Disable the FTP ALG. By default, the FTP ALG is enabled. This option willenable or disable FTP ALG for both IPV4 and IPV6 mode.
ftps-extension Enable secure FTP and FTP SSL protocols.
line-break-extension Enable line-break-extension. This option will enable the FTPALG torecognize theLF asline breakin addition tothe standardCR+LF(carriage return,followed by line feed).
traceoptions Configure FTP ALG tracing options. To specify more than one trace
operation, include multiple flag statements. flag Trace operation to perform.
all Trace all events.
extensive (Optional) Display extensive amount of data.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
35Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
48/58
maximum-message-length
Syntax maximum-message-length number ;
Hierarchy Level [edit security alg dns]
Release Information Statement introduced in Release 10.1 of Junos OS.
Description Specify the maximum DNS message length.
Options number Maximum length in bytes of a single DNS message.
Range: 512 through 8192 bytes.
Default: 512 bytes.
Required Privilege
Level
securityTo view this statement in the configuration.
security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
Copyright 2012, Juniper Networks, Inc.36
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
49/58
sql
Syntax sql {
disable;traceoptions {
flag {all ;
}}
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Specify the Oracle SQL ALG on the device.
Options disable Disable the SQL ALG. By default, the SQL ALG is enabled.
traceoptions Configure SQL ALG tracing options.
flag Trace operation to perform.
all Trace all events.
extensive Display extensive amount of data.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
37Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
50/58
talk
Syntax talk {
disable;traceoptions {
flag {all ;
}}
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Specify the TALK program ALG on the device.
Options disable Disable the TALK program ALG. By default, the TALK program ALG is enabled.
traceoptions Configure TALK program ALG tracing options.
flag Trace operation to perform.
all Trace all events.
extensive Display extensive amount of data.
Required PrivilegeLevel
securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.
RelatedDocumentation
Junos OS Security Configuration Guide
Copyright 2012, Juniper Networks, Inc.38
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
51/58
-
8/10/2019 Security Alg Basic
52/58
-
8/10/2019 Security Alg Basic
53/58
If you specify a maximumfilesize,you also must specify a maximumnumber of tracefiles with the files option and a filename.
Syntax: x K to specify KB, x m to specify MB, or x g to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
level Set the level of debugging the output option.
brief Match brief messages
detail Match detail messages.
extensive Match extensive messages.
verbose Match verbose messages.
no-remote-trace Set remote tracing as disabled.
Required PrivilegeLevel
traceTo view this statement in the configuration.trace-controlTo add this statement to the configuration.
41Copyright 2012, Juniper Networks, Inc.
Chapter7: Configuration Statements
-
8/10/2019 Security Alg Basic
54/58
-
8/10/2019 Security Alg Basic
55/58
-
8/10/2019 Security Alg Basic
56/58
Copyright 2012, Juniper Networks, Inc.44
ALG Basics for SecurityDevices
-
8/10/2019 Security Alg Basic
57/58
Index
Symbols#, comments in configuration statements...................... x( ), in syntax descriptions........................................................ x< >, in syntax descriptions...................................................... x[ ], in configuration statements............................................ x{ }, in configuration statements........................................... x| (pipe), in syntax descriptions............................................. x
AALG See Application Layer Gatewayalg statement........................................................................... 28alg-manager............................................................................. 32alg-support-lib......................................................................... 33Application Layer Gateway.................................................... 3
support table...................................................................... 3
Bbraces, in configuration statements................................... xbrackets
angle, in syntax descriptions......................................... x
square, in configuration statements.......................... x
Ccomments, in configuration statements.......................... xconventions
text and syntax.................................................................. ixcurly braces, in configuration statements........................ xcustomer support..................................................................... xi
contacting JTAC................................................................ xi
DDNS
doctoringdisable........................................................................ 21
DNS Doctoring.......................................................................... 13dns statement.......................................................................... 34documentation
comments on.................................................................... xi
Ffont conventions....................................................................... ix
ftp statement........................................................................... 35
Mmanuals
comments on.................................................................... ximaximum-message-length statement......................... 36
Pparentheses, in syntax descriptions................................... x
Ssql statement............................................................................ 37support, technical See technical supportsyntax conventions.................................................................. ix
T
talk statement......................................................................... 38technical support
contacting JTAC................................................................ xitftp statement......................................................................... 39traceoptions statement
(ALG).................................................................................. 40
VVoIP DSCP rewrite rules configuring................................ 19
45Copyright 2012, Juniper Networks, Inc.
-
8/10/2019 Security Alg Basic
58/58
ALG Basics for SecurityDevices