How do I find out if an Application Layer Gateway (ALG) has been enabled on ScreenOS?
Is there a command to find out the list of ALGs firewall supports and its status?
In ScreenOS 6.0 and above, all the ALGs can be viewed with the following command:
FW-> get alg
DNS ALG : enabled
FTP ALG : enabled
H323 ALG : enabled
HTTP ALG : enabled
MGCP ALG : enabled
MSRPC ALG : enabled
PPTP ALG : enabled
REAL ALG : enabled
RSH ALG : enabled
RTSP ALG : enabled
SCCP ALG : enabled
SCTP ALG : enabled
APPLEICHAT ALG : enabled
SIP ALG : enabled
SQL ALG : enabled
SUNRPC ALG : enabled
TALK ALG : enabled
TFTP ALG : enabled
XING ALG : enabled
Disable ALGs
Globally
For ALGs which can be viewed via the "get alg" command, the ALG can be globally disabled and enabled with the following commands. If you disable the ALG globally, ALG processing will no longer be triggered for any ALG related traffic. This applies to ScreenOS 5.4, 6.0, and above.
FW-> unset alg <alg> enable
FW-> set alg <alg> enable
By Policy
The following example illustrates how the ALG can be selectively disabled for specifc networks/ host addresses via the policy configuration via the WebUI or CLI:
set policy id 3 from "Trust" to "Untrust" "192.168.1.1/24" "Any" "FTP" permit
set policy id 3 application "IGNORE"
set policy id 3
A corresponding example for the WebUI can be found at
KB7078.
NOTE: For hidden ALGs in ScreenOS 5.4 and below, the only way to disable these ALGs is via the policy.
Please refer to the following link for example configuration instructions for the FTP ALG: KB7096
If you need to change the ALG from its predefined port to a custom port, this can also be done via the policy.
Important Note: If you disable the ALG globally and enable the ALG on a policy (by specifying '
set policy id <id> application <service>
'), the ALG will still
not be triggered. If the ALG is enabled explicitly on a policy, it also needs to be enabled globally in order to take affect.
2020-03-21: Minor, non-technical update.
2017-12-23: Article reviewed for accuracy. Article tagged as a ScreenOS KB. Article is correct and complete.