alg
Syntax
alg {
alg-manager {
traceoptions {
flag {
all <extensive>;
}
}
}
alg-support-lib {
traceoptions {
flag {
all <extensive>;
}
}
}
dns {
disable;
doctoring (none | sanity-check);
maximum-message-length bytes;
traceoptions {
flag {
all <extensive>;
}
}
}
ftp {
allow-mismatch-ip-address;
disable;
ftps-extension;
line-break-extension;
traceoptions {
flag {
all <extensive>;
}
}
}
h323 {
application-screen {
message-flood {
gatekeeper {
threshold rate;
}
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
disable;
dscp-rewrite {
code-point string;
}
endpoint-registration-timeout value-in-seconds;
media-source-port-any;
traceoptions {
flag flag <detail | extensive | terse>;
}
}
ike-esp-nat {
enable;
esp-gate-timeout value-in-seconds;
esp-session-timeout value-in-seconds;
state-timeout value-in-seconds;
traceoptions {
flag {
all <extensive>;
}
}
}
mgcp {
application-screen {
connection-flood {
threshold rate;
}
message-flood {
threshold rate;
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
disable;
dscp-rewrite {
code-point string;
}
inactive-media-timeout value-in-seconds;
maximum-call-duration value-in-minutes;
traceoptions {
flag flag <extensive>;
}
transaction-timeout value-in-seconds;
}
msrpc {
disable;
map-entry-timeout;
traceoptions {
flag {
all <extensive>;
}
}
}
pptp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
rsh {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
rtsp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
sccp {
application-screen {
call-flood {
threshold rate;
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
disable;
dscp-rewrite {
code-point string;
}
inactive-media-timeout value-in-seconds;
traceoptions {
flag flag <extensive>;
}
}
sip {
application-screen {
protect {
deny {
all {
timeout value-in-seconds;
}
destination-ip address;
timeout value-in-seconds;
}
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
c-timeout value-in-minutes;
disable;
dscp-rewrite {
code-point string;
}
inactive-media-timeout value-in-seconds;
maximum-call-duration value-in-minutes;
retain-hold-resource;
t1-interval value-in-milliseconds;
t4-interval value-in-seconds;
traceoptions {
flag flag <detail | extensive | terse>;
}
}
sql {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
sunrpc {
disable;
map-entry-timeout;
traceoptions {
flag {
all <extensive>;
}
}
}
talk {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
tftp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
(no-world-readable | world-readable);
size maximum-file-size;
}
level (brief | detail | extensive | verbose);
no-remote-trace;
}
twamp {
traceoptions {
flag {
all <extensive>;
}
}
}
}
Hierarchy Level
[edit security], [edit tenants tenant-name security], [edit services], [edit logical-systems name security]
Description
Configure an Application Layer Gateway (ALG) on the device. An ALG runs as a service and can be associated in policies with specified types of traffic. ALGs are enabled by default.
Options
bytes—Maximum length in bytes of a single DNS message.
-
Range: 512 through 8192 bytes
-
Default: 512 bytes
c-timeout value-in-minutes—Specifies the timeout
interval for Session Initiation Protocol (SIP) transactions in minutes.
-
Range: 3 through 10 minutes
-
Default: 3 minutes
endpoint-registration-timeout
value-in-seconds—Specifies the timeout value in seconds
for entries in the NAT table.
-
Range: 10 through 50,000 seconds
-
Default: 3600 seconds
inactive-media-timeout value-in-seconds—(MGCP)
Specifies the maximum time duration that the temporary openings in the firewall
(pinholes) remain open for media if no activity is detected.
-
Range: 10 through 2550 seconds
-
Default: 120 seconds
inactive-media-timeout value-in-seconds—(SCCP)
Specifies the maximum time duration that the temporary openings in the firewall
(pinholes) remain open for media if no activity is detected.
-
Range: 10 through 600 seconds
-
Default: 120 seconds
inactive-media-timeout value-in-seconds—(SIP)
Specifies the maximum time duration that the temporary openings in the firewall
(pinholes) remain open for media if no activity is detected.
-
Range: 0 through 2550 seconds
-
Default: 120 seconds
maximum-call-duration value-in-minutes—Specifies
the maximum time duration at which the call ends and releases the media
sessions.
-
Range: 3 through 720 minutes
-
Default: 720 minutes
media-source-port-any—Allow media traffic from any port number. By
default, this feature is disabled, which allows a temporary opening in the firewall
(pinhole) for media traffic to be opened.
retain-hold-resource—Enable the device to not free media resources
for a Session Initiation Protocol (SIP) Application Layer Gateway (ALG), even when a
media stream is placed on hold. By default, media stream resources are released when
the media stream is held.
transaction-timeout value-in-seconds—Specifies
timeout value for Media Gateway Control Protocol (MGCP) transactions. If the timeout
value exceeds the limit, the transaction removed by MGCP transactions ager out
processing.
-
Range: 3 through 50 seconds
-
Default: 30 seconds
t1-interval value-in-milliseconds—Specifies the
maximum round-trip time (RTT) (in milliseconds) allowed for Session Initiation
Protocol (SIP) transactions.
-
Range: 500 through 5000 milliseconds
-
Default: 500 milliseconds
t4-interval value-in-seconds—Specifies the
maximum length of time (in seconds) that the network can take to clear messages
between client and server Session Initiation Protocol (SIP) transactions.
-
Range: 5 through 10 seconds
-
Default: 5 seconds
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.
Statement supported in Junos OS Release 18.3R1 for tenant systems.
maximum-message-lengthbytes option introduced in
Junos OS Release 10.1.
twamp option introduced in Junos OS Release 18.2R1.