SRX Services Gateway
Highlighted
SRX Services Gateway

SIP ALG impact on SRX performance

‎07-18-2017 09:07 AM

Hi community,

 

we are going to enable the SIP ALG on srx5600 firewall. I would like to ask about the following issues:


 - Impact of enabling the ALG in terms of SRX performance (CPU, etc)

 - Any recommendation about configuration based on previous experiences.

 

Traffic/calls will come from internet and NAT won't be configured, it would be recommended to use screen options together with ALG in order to mitigate attacks?

 

Thank you in advance!

 

BR / Iván

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SIP ALG impact on SRX performance

‎07-18-2017 08:03 PM

Hi Ivan,

 

Considering the fact that you have a SRX5600 and no NAT there should not be a lot of performance impact but we really cannot say as much until we know how much SIP traffic you expect the FW to handle. 

 

Regarding configuration, you may want to check the below mentioned documents. The first of which is a note which explains the working of SIP Alg and second is a configuration guide along with probable scenarios. 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/alg-security-sip-understanding.html

 

http://www.juniper.net/documentation/en_US/junos12.1x47/information-products/pathway-pages/security/...

 

Regards,
Anand
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Highlighted
SRX Services Gateway

Re: SIP ALG impact on SRX performance

‎08-23-2017 01:07 AM
 
Highlighted
SRX Services Gateway

Re: SIP ALG impact on SRX performance

‎08-23-2017 01:14 AM
In my opinion sip and sccp together(I think), improve performance because the common network range is extended to the mobile device sector of networking. Using only sccp will not bring gain. Sip will though. Phone switching will always bring broader performance but round trip could potentially get much longer. You may have to multi-home properly so they both jive. One protocol alone is not as extended.