I use an SRX100 firewall with zones and policies to isolate several subnets. I do not know what ALG is. All of my policies are "application any".
Why am I getting the error listed below? How do I allow the traffic that is apparently being blocked?
RT_ALT_WRN_CFG_NEED: MSRPC ALG detected packet from x which need extra policy with UUID:x or 'junos-ms-rpc-any' to let is pass-through on ASL session
ALG stands for application layer gateway and is an automatic function that will allow related traffic on ususally high ports that is related to the main traffic permitted by the policy. This describes the specific behavior of the MSRPC ALG.
A number of ALG are on by default on the SRX to permit common traffic. If you don't need the MSRPC ALG you can simply disable this ALG and the log messages will stop.
set security alg msrpc disable
If you are using MSRPC and need to correct for the traffic configure the specific traffic version needed here.
Can you explain to me: why is the juniper blocking any traffic when I specify I want to allow any source address, any destination address, any application, and any source-identity?
What technically is so special about MSRPC that the Juniper is blocking it despite my any/any/any/any policy? Is it because "the port number is high"
What else besides MSRPC does the Juniper block when I tell it to allow "any/any/any/any" traffic?
If you are NOT using MSRPC, then the traffic is hitting the ALG in error and causing the traffic to be incorrectly processed. so the solution then is to turn the ALG off.
If you ARE using MSRPC, then the traffic cannot be fully processed by the ALG because the rule is "any" and not application specific so the ALG cannot fully function.
I have not researched MSRPC but typically the issue that ALG fixes is that the INITIAL traffic is in one direction zone to zone on a particular port. But this session then sets up REVERSE traffic that initiates with different ports (usually high onews) that need to be open and are not because they are random and session specific. The ALG recognizes the traffic as part of the primary direction permitted flow and opens "pin hole" automatic rules to permit the return traffic in the REVERSE direction that would otherwise require a rule.
The firewall blocks by default and only permits what is in a rule. If you have and any/any allow rule in one direction and then a second any/any alllow rule for the reverse direction, then the ALG would not be needed. The ALG is needed if there are restrictions in the REVERSE direction of the normal traffic.
Thank you for your explanation. I will try to repeat what you said: MSRPC is an odd protocol in that after a client initiates a connection the server, the server then attempts to initiate a connection back to the client. Since in general our security policies typically disallow connections from the server to the client, Junos ALG/MSRPC attemps to temporarily allow some of this "backwards" traffic. If my policices allow any/any/any/any traffic in both directions, the ALG/MSRPC is not needed in my case.
Thank you again,
Sounds good to me. So in your case you simply disable this ALG to prevent unintended behavior.
In simple words ALG do a dynamic Port opening based on the application type. By default MSRPC alg is enabled on Junos devices and the error message you seeing could be some software issue needs investigation. I would recommend you opening a JTAC ticket to get this investigated further. For a quick fix you may try disabling MSRPC alg and open any/any policy in both direction between server and client .
disable MSRPC ALG:
root# set security alg msrpc disable