Knowledge Center Search


Viewing list of ALGs and disabling an ALG differs on ScreenOS versions

  [KB13509] Show KB Properties

  [KB13509] Hide KB Properties

Knowledge Base ID: KB13509
Last Updated: 29 Jun 2010
Version: 3.0

How do I find out if an Application Layer Gateway (ALG) has been enabled on ScreenOS?

Problem or Goal:
Is FTP considered ALG traffic? I could not see it in the table from the following:
FW-> get alg
MSRPC ALG : enabled
SUNRPC ALG : enabled
SQL ALG : enabled
SIP ALG : enabled
RTSP ALG : enabled
H323 ALG : enabled
MGCP ALG : enabled
SCCP ALG : enabled


View ALGs

SCREENOS 5.4 and below:

In ScreenOS 5.4 and below, FTP is a hidden ALG.  Hidden ALGs can be viewed with the following command:
FW-> get nat registry vector

Id Address Comment
16 0063b148 DNS
1 0063cc9c FTP
6 00639a08 HTTP
2 0064a068 RSH
59 004f7938 H245
60 0051465c Q931
61 0051de9c RAS
71 00d5bb3c SCCP
72 00d699d4 MGCP_UA
73 00d699d4 MGCP_CA
5 00872814 PORTMAPPER
63 00db4f94 SIP
64 00650e28 SQLNETV2
65 006522a8 TALK
29 00652968 TFTP
62 00649754 REAL
11 0064d06c RTSP
66 00652c10 VDO
67 00653050 XING
68 00865e24 MSRPC_EPM

MASTER(M)-> get nat registry vector | i FTP
1 0063cc9c FTP

The non-hidden ALGs are displayed with the "get alg" command.
SCREENOS 6.0 and above:

In ScreenOS 6.0 and above, all the ALGs can be viewed with the following command:
FW-> get alg

DNS ALG : enabled
FTP ALG : enabled
H323 ALG : enabled
HTTP ALG : enabled
MGCP ALG : enabled
MSRPC ALG : enabled
PPTP ALG : enabled
REAL ALG : enabled
RSH ALG : enabled
RTSP ALG : enabled
SCCP ALG : enabled
SCTP ALG : enabled
SIP ALG : enabled
SQL ALG : enabled
SUNRPC ALG : enabled
TALK ALG : enabled
TFTP ALG : enabled
XING ALG : enabled

Disable ALGs


For ALGs which can be viewed via the "get alg" command, the ALG can be globally disabled and enabled with the following commands.  If you disable the ALG globally, ALG processing will no longer be triggered for any ALG related traffic.  This applies to ScreenOS 5.4, 6.0, and above.
FW-> unset alg <alg> enable
FW-> set alg <alg> enable

By Policy

The following example illustrates how the ALG can be selectively disabled for specifc networks/ host addresses via the policy configuration via the WebUI or CLI:
set policy id 3 from "Trust" to "Untrust" "" "Any" "FTP" permit
set policy id 3 application "IGNORE"
set policy id 3
A corresponding example for the WebUI can be found at KB7078.

NOTE:  For hidden ALGs in ScreenOS 5.4 and below, the only way to disable these ALGs is via the policy.

Please refer to the following link for example configuration instructions for the FTP ALG:  KB7096

If you need to change the ALG from its predefined port to a custom port, this can also be done via the policy.

Important Note:  If you disable the ALG globally and enable the ALG on a policy (by specifying 'set policy id <id> application <service>'), the ALG will still not be triggered.  If the ALG is enabled explicitly on a policy, it also needs to be enabled globally in order to take affect.   

*For ScreenOS 5.0 and below, the "get alg" command is not available at all.

Related Links:




Question or KB ID:



Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.