Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Viewing list of ALGs and disabling an ALG differs on ScreenOS versions

0

0
Article ID: KB13509 KB Last Updated: 21 Mar 2020Version: 5.0 Summary:

How do I find out if an Application Layer Gateway (ALG) has been enabled on ScreenOS?

Symptoms:

Is there a command to find out the list of ALGs firewall supports and its status?

Solution:

In ScreenOS 6.0 and above, all the ALGs can be viewed with the following command:

FW-> get alg

DNS ALG : enabled
FTP ALG : enabled
H323 ALG : enabled
HTTP ALG : enabled
MGCP ALG : enabled
MSRPC ALG : enabled
PPTP ALG : enabled
REAL ALG : enabled
RSH ALG : enabled
RTSP ALG : enabled
SCCP ALG : enabled
SCTP ALG : enabled
APPLEICHAT ALG : enabled
SIP ALG : enabled
SQL ALG : enabled
SUNRPC ALG : enabled
TALK ALG : enabled
TFTP ALG : enabled
XING ALG : enabled


Disable ALGs

Globally

For ALGs which can be viewed via the "get alg" command, the ALG can be globally disabled and enabled with the following commands.  If you disable the ALG globally, ALG processing will no longer be triggered for any ALG related traffic.  This applies to ScreenOS 5.4, 6.0, and above.
FW-> unset alg <alg> enable
FW-> set alg <alg> enable

By Policy

The following example illustrates how the ALG can be selectively disabled for specifc networks/ host addresses via the policy configuration via the WebUI or CLI:
set policy id 3 from "Trust" to "Untrust" "192.168.1.1/24" "Any" "FTP" permit
set policy id 3 application "IGNORE"
set policy id 3
A corresponding example for the WebUI can be found at KB7078.

NOTE:  For hidden ALGs in ScreenOS 5.4 and below, the only way to disable these ALGs is via the policy.

Please refer to the following link for example configuration instructions for the FTP ALG:  KB7096

If you need to change the ALG from its predefined port to a custom port, this can also be done via the policy.

Important Note:  If you disable the ALG globally and enable the ALG on a policy (by specifying 'set policy id <id> application <service>'), the ALG will still not be triggered. If the ALG is enabled explicitly on a policy, it also needs to be enabled globally in order to take affect.  

 
Modification History:
2020-03-21: Minor, non-technical update.
2017-12-23: Article reviewed for accuracy. Article tagged as a ScreenOS KB. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search