Enabling/Disabling Application Layer Gateway Protocols Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Enabling/Disabling Application Layer Gateway Protocols Overview

120
You can also shape traffic at the policy level to allocate bandwidth for particular types
of traffic.
Guaranteed bandwidth and maximum bandwidth are not strictly policy based but, with
multiple physical interfaces in the egress zone, are based on both policy and total egress
physical interface bandwidth available. The physical bandwidth of every interface is
allocated to the guaranteed bandwidth parameter for all policies. If there is any bandwidth
left over, it is sharable by any other traffic. In other words, each policy gets its guaranteed
bandwidth and shares whatever is left over, on a priority basis (up to the limit of its
maximum bandwidth specification), with all other policies. Refer to "Setting Physical
Link Attributes for Interfaces" on page 55 for more information describing how to configure
physical settings on the device interface.
Using the traffic shaping option, you can configure the following traffic shaping
parameters:
Priority Levels—You can use the Traffic Shaping screen to perform priority queuing on
bandwidth that is not allocated to guaranteed bandwidth, or unused guaranteed
bandwidth. Queuing allows the security device to buffer traffic in up to eight different
priority queues. The security device maps the eight priority levels to the first three bits
in the DiffServ field, or to the IP precedence field in the ToS byte in the IP packet header.
By default, the highest priority (priority 0) on the security device maps to 111 in the IP
precedence field. The lowest priority (priority 7) maps to 000 in the IP precedence
field.
Traffic Shaping Mode—Traffic shaping is automatically determined by the device, but
you can set it to on or off.
Clear DSCP Class Selector—The class selector controls the number of bits affected
in the DiffServ field. By default, the priority levels affect only the first three bits in the
eight bit DiffServ field. The remaining bits are untouched, but can be altered by an
upstream router, which might change the IP priority preference. When the DSCP class
selector is enabled, the class selector zeroes the remaining five bits in the DiffServ field,
which prevents upstream routers from altering priority levels.
For a more detailed explanation about configuring traffic shaping on security devices,
see the "Fundamentals" volume in the Concepts & Examples ScreenOS Reference Guide.
Configuring H.323 Settings on page 119
Configuring MGCP Settings on page 118
Configuring SIP Settings on page 116
Application Layer Gateways (ALGs) manage specific protocols by intercepting traffic as
it passes through the security device. After analyzing the traffic, the ALG allocates
resources to permit the traffic to pass securely. By default, all ALGs are enabled on a
security device. In situations where a security device is receiving an excessive amount of
Copyright © 2010, Juniper Networks, Inc.