Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding ALG Support for VRF Routing Instance

Starting in Junos OS Release 15.1X49-D160, to support MPLS-based implementations, virtual routing and forwarding (VRF) instances are supported in an Application Layer Gateway (ALG) module of an SRX Series Firewall. The ALG module is responsible for associating multiple connections from an application with the initial session that the application creates. The ALG module intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the device.

An ALG module performs the following functions:

  • Inspects the packet for an embedded IP address and port information in the packet payload. When the first packet arrives at the device, it undergoes flow first path processing to identify whether the incoming traffic could match gate, the search key uses details such as zone, source IP address, destination IP address, source port, destination port, source VRF details and destination VRF details.

  • Opens a pinhole for a new connection between a client and a server, and transfers data between a client and a server located on opposite sides of an SRX Series Firewall.

  • Performs Network Address Translation (NAT) processing, if necessary.

The ALG module also opens a gate for the IP address and port number to permit data exchange for the control and data sessions. Starting in Junos OS Release 15.1X49-D160, ALG supports control sessions and data sessions belonging to the same VRF.