Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I disable an ALG per Policy? How Do I Skip ALG Checking per Policy?

0

0

Article ID: KB7078 KB Last Updated: 25 Mar 2020Version: 10.0
Summary:

How Do I disable the ALG Checking per Policy?

Symptoms:
  • ALG traffic is being dropped
Solution:

Note: You will want to disable the ALG function if a particular part of the application function is not supported. An example of this includes proprietary H.323 or SIP implementations that are not interpreted or not supported by ScreenOS.

After you disable the ALG, as long as a policy allows, the traffic will go through. Most likely you will need to create a custom service to allow the high ports.  Then you will need to create a policy to permit the incoming traffic that would normally be processed by the ALG. If so, use very specific attributes on the policy, i.e. source address, destination address, and the custom service created. 


To disable or skip ALG checking per policy via the WebUI, perform the following steps:

Open the WebUI.

From the ScreenOS options menu, click Policies.

From the policy you want to edit, click Edit.

Image of step three

From the Service drop-down menu, select the desired service.

From the Application drop-down menu, click to select IGNORE.

When the Application drop-down menu is set to NONE (the default value), then ALGs will be used.

NOTE: The ALG cannot be disabled on a policy with the ANY Service.

Image of step four

Click OK.

 

 

To skip ALG checking per policy via the CLI, perform the following steps:

Open the CLI.

Enter  get policy to see the list of existing policies, and note the policy ID of the policy that you want to disable the ALG on.

NOTE: The ALG cannot be disabled on a policy with the ANY Service.

Enter the following command to disable the ALG on that policy:
 
set policy id <policy_id> application ignore

  


 

note: For additional information, refer to KB13509 - Viewing list of ALGs and disabling an ALG differs on ScreenOS versions.
 
Modification History:
2020-03-25: Article reviewed for accuracy; it is valid and accurate.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search