Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Our new, consolidated Junos CLI Reference is now available.

close
external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

ALG for Tenant Systems

date_range 17-Feb-21

An Application Layer Gateway (ALG) in tenant systems enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server. ALGs supports the applications such as Transfer Protocol (FTP) and various IP protocols that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections. For more information, see the following topics:

Understanding ALG Support for Tenant System

An Application Layer Gateway (ALG) enables the gateway to parse application layer payloads and take decisions whether to allow or deny traffic to the application server.

Starting in Junos OS Release 18.3R1, the ALG feature supported on logical systems is now extended on tenants systems.

The tenant systems administrator can configure the ALG features for the tenant systems. The primary administrator can configure the ALG features and display the ALG information for all tenants. The tenant systems administrator can only apply configurations and display information in its own tenant.

Each tenant system displays the ALG counters to monitor the traffic. For example, use commands show security alg sip counters tenants TN1 to get SIP counters in tenant systems and show security alg sip counters tenants all to get SIP counters in all existing tenant systems.

Enabling the security log for the tenant generates the ALG logs per tenant.

Note:

When you upgrade to Junos OS Release 18.3R1, the ALG status for each tenant system might be different depending on the default configuration or configuration in a release prior to Junos OS Release 18.3R1. We recommend you to change the ALG configurations for tenant systems as per your requirements after an upgrade to latest Junos OS version.

Enabling and Disabling ALG for Tenant System

This topic shows how to enable or disable the ALG status for each tenant system.

  1. By Default IKE ALG is disabled on the tenant system. To enable this ALG, use the following command.
    • Enable IKE and ESP ALG with NAT.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg ike-esp-nat enable
      
  2. By default, the DNS, FTP, PPTP, SIP, SUNRPC and TWAMP ALGs are enabled on the tenant system. To disable these ALGs, use the following commands.
    • Disable DNS ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg dns disable
      
    • Disable FTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg ftp disable
      
    • Disable H323 ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg h323 disable
      
    • Disable MGCP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg mgcp disable
      
    • Disable MSRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg msrpc disable
      
    • Disable PPTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg pptp disable
      
    • Disable RSH ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg rsh disable
      
    • Disable RTSP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg rtsp disable
      
    • Disable SCCP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sccp disable
      
    • Disable SIP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sip disable
      
    • Disable SQL ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sql disable
      
    • Disable SUNRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sunrpc disable
      
    • Disable TALK ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg talk disable
      
    • Disable TFTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg tftp disable
      
  3. Configuring ALG functions in tenant systems.
    • Configure DNS ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg dns
      
    • Configure FTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg ftp
      
    • Configure H323 ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg h323
      
    • Configure IKE and ESP ALG with NAT.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg ike-esp-nat
      
    • Configure MGCP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg mgcp
      
    • Configure MSRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg msrpc
      
    • Configure PPTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg pptp
      
    • Configure RSH ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg rsh
      
    • Configure RTSP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg rtsp
      
    • Configure SCCP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sccp
      
    • Configure SIP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sip
      
    • Configure SQL ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sql
      
    • Configure SUNRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sunrpc
      
    • Configure TALK ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg talk
      
    • Configure TFTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg tftp
      
    • Configure TWAMP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg twamp
      
    • Configure extended function for FTP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg ftp allow-mismatch-ip-address
      
    • Configure extended function for MSRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg msrpc map-entry-timeout 10
      
    • Configure extended function for SUNRPC ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sunrpc map-entry-timeout 10
      
    • Configure extended function for SIP ALG.

      content_copy zoom_out_map
      [edit]
      user@host# set tenants TN1 security alg sip retain-hold-resource
      

Example: Configuring ALG in Tenant System

This example shows how to configure ALGs in tenant system and send traffic based on FTP ALG configuration of the tenant system individually.

Requirements

This example uses the following hardware and software components:

  • An SRX device

  • Junos OS Release 18.3R1

Before you begin:

  • Read the ALG Support for Tenant System to understand how and where this procedure fits in the overall tenant support for ALGs.

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server on a tenant system.

By default, the FTP ALG is enabled on the tenant system.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set system security-profile p1 policy maximum 100
set system security-profile p1 policy reserved 50
set system security-profile p1 zone maximum 100
set system security-profile p1 zone reserved 50
set system security-profile p1 flow-session maximum 6291456
set system security-profile p1 flow-session reserved 50
set system security-profile p1 flow-gate maximum 524288
set system security-profile p1 flow-gate reserved 50
set tenants TN1 routing-instances VR_TN1 instance-type vpls
set tenants TN1 routing-instances VR_TN1 interface lt-0/0/0.0
set system security-profile p1 tenant TN1
set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic system-services all
set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic protocols all
set tenants TN1 security zones security-zone TN1_Czone interfaces ge-0/0/0
set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic system-services all
set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic protocols all
set tenants TN1 security zones security-zone TN1_Szone interfaces ge-0/0/1
set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match source-address any
set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match destination-address any
set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ftp
set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ping
set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 then permit
set tenants TN1 security policies default-policy deny-all

Configuring FTP ALG in a Tenant System

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an ALG on a tenant system:

  1. Configure a security profile p1 for tenant.

    content_copy zoom_out_map
    [edit]
    set system security-profile p1 policy maximum 100
    set system security-profile p1 policy reserved 50
    set system security-profile p1 zone maximum 100
    set system security-profile p1 zone reserved 50
    set system security-profile p1 flow-session maximum 6291456
    set system security-profile p1 flow-session reserved 50
    set system security-profile p1 flow-gate maximum 524288
    set system security-profile p1 flow-gate reserved 50
    
  2. Configure interfaces and routing instances to the TN1.

    content_copy zoom_out_map
    [edit]
    user@host# set tenants TN1 routing-instances VR_TN1 instance-type vpls
    user@host# set tenants TN1 routing-instances VR_TN1 interface lt-0/0/0.0
    
  3. Configure a security profile p1 and assign it to the tenant system TN1.

    content_copy zoom_out_map
    [edit]
    user@host# set system security-profile p1 tenant TN1
    
  4. Configure security zones and assign interfaces to each zone.

    content_copy zoom_out_map
    [edit]
    user@host# set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic system-services all
    user@host# set tenants TN1 security zones security-zone TN1_Czone host-inbound-traffic protocols all
    user@host# set tenants TN1 security zones security-zone TN1_Czone interfaces ge-0/0/0
    user@host# set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic system-services all
    user@host# set tenants TN1 security zones security-zone TN1_Szone host-inbound-traffic protocols all
    user@host# set tenants TN1 security zones security-zone TN1_Szone interfaces ge-0/0/1
    
  5. Configure a security policy that permits FTP traffic from the TN1_Czone to-zone TN1_Szone.

    content_copy zoom_out_map
    [edit]
    user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match source-address any
    user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match destination-address any
    user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ftp
    user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 match application junos-ping
    user@host# set tenants TN1 security policies from-zone TN1_Czone to-zone TN1_Szone policy p11 then permit
    user@host# set tenants TN1 security policies default-policy deny-all
    

Results

From configuration mode, confirm your configuration by entering the show tenants TN1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show tenants TN1
    routing-instances {
        VR_TN1 {
            instance-type vpls;
            interface lt-0/0/0.0;
        }
    }
    security {
        policies {
            from-zone TN1_Czone to-zone TN1_Szone {
                policy p11 {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ftp junos-ping ];
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
        zones {
            security-zone TN1_Czone {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
            security-zone TN1_Szone {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Intra-Tenant System traffic on ALG

Purpose

Verify the information about active resources, clients, groups, and sessions created through the resource manager.

Action

From operational mode, enter the show security resource-manager summary command.

content_copy zoom_out_map
user@host> show security resource-manager summary
Active resource-manager clients   : 0
Active resource-manager groups    : 0
Active resource-manager resources : 0
Active resource-manager sessions  : 0
Meaning

The output displays summary information about active resources, clients, groups, and sessions created through the resource manager.

Verify ALG status for Tenant System

Purpose

Verify the ALG status for tenant on the device.

Action

To verify the configuration is working properly, enter the show security alg status tenant TN1 command.

content_copy zoom_out_map
user@host>show security alg status tenant TN1
ALG Status:
  DNS      : Enabled
  FTP      : Enabled
  H323     : Disabled
  MGCP     : Disabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Disabled
  RTSP     : Disabled
  SCCP     : Disabled
  SIP      : Disabled
  SQL      : Disabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled
  TWAMP    : Disabled
Meaning

The output display the alg status for FTP Enabled for the tenant system TN1.

external-footer-nav