Juniper Networks - Viewing list of ALGs and disabling an ALG differs on ScreenOS versions

How do I find out if an Application Layer Gateway (ALG) has been enabled on ScreenOS?

Is FTP considered ALG traffic? I could not see it in the table from the following:

FW-> get alg MSRPC ALG : enabled SUNRPC ALG : enabled SQL ALG : enabled SIP ALG : enabled RTSP ALG : enabled H323 ALG : enabled MGCP ALG : enabled SCCP ALG : enabled

View ALGs

SCREENOS 5.4 and below:

In ScreenOS 5.4 and below, FTP is a hidden ALG. Hidden ALGs can be viewed with the following command:

FW-> get nat registry vector Id Address Comment 16 0063b148 DNS 1 0063cc9c FTP 6 00639a08 HTTP 2 0064a068 RSH 59 004f7938 H245 60 0051465c Q931 61 0051de9c RAS 71 00d5bb3c SCCP 72 00d699d4 MGCP_UA 73 00d699d4 MGCP_CA 5 00872814 PORTMAPPER 63 00db4f94 SIP 64 00650e28 SQLNETV2 65 006522a8 TALK 29 00652968 TFTP 62 00649754 REAL 11 0064d06c RTSP 66 00652c10 VDO 67 00653050 XING 68 00865e24 MSRPC_EPM MASTER(M)-> get nat registry vector | i FTP 1 0063cc9c FTP The non-hidden ALGs are displayed with the "get alg" command.

SCREENOS 6.0 and above:

In ScreenOS 6.0 and above, all the ALGs can be viewed with the following command:

FW-> get alg DNS ALG : enabled FTP ALG : enabled H323 ALG : enabled HTTP ALG : enabled MGCP ALG : enabled MSRPC ALG : enabled PPTP ALG : enabled REAL ALG : enabled RSH ALG : enabled RTSP ALG : enabled SCCP ALG : enabled SCTP ALG : enabled APPLEICHAT ALG : enabled SIP ALG : enabled SQL ALG : enabled SUNRPC ALG : enabled TALK ALG : enabled TFTP ALG : enabled XING ALG : enabled

Disable ALGs

Globally

For ALGs which can be viewed via the "get alg" command, the ALG can be globally disabled and enabled with the following commands. If you disable the ALG globally, ALG processing will no longer be triggered for any ALG related traffic. This applies to ScreenOS 5.4, 6.0, and above.

FW-> unset alg <alg> enable FW-> set alg <alg> enable

By Policy

The following example illustrates how the ALG can be selectively disabled for specifc networks/ host addresses via the policy configuration via the WebUI or CLI:

set policy id 3 from "Trust" to "Untrust" "192.168.1.1/24" "Any" "FTP" permit set policy id 3 application "IGNORE" set policy id 3

A corresponding example for the WebUI can be found at KB7078.

NOTE: For hidden ALGs in ScreenOS 5.4 and below, the only way to disable these ALGs is via the policy.

Please refer to the following link for example configuration instructions for the FTP ALG: KB7096

If you need to change the ALG from its predefined port to a custom port, this can also be done via the policy.

Important Note: If you disable the ALG globally and enable the ALG on a policy (by specifying 'set policy id <id> application <service>'), the ALG will still not be triggered. If the ALG is enabled explicitly on a policy, it also needs to be enabled globally in order to take affect.

*For ScreenOS 5.0 and below, the "get alg" command is not available at all.

Knowledge Search

View ALGs

Disable ALGs

Login Assistance

Knowledge Search

View ALGs

Disable ALGs

Please Sign In

Login Assistance