SRX

Expand all | Collapse all

ALG Settings and Screen Options

Jump to Best Answer
  • 1.  ALG Settings and Screen Options

     
    Posted 08-30-2018 04:13

    1. I have been advised to disable all ALG setttings for performance reasons, is this wise? Most of them don't ring a bell, but surely I need the DNS ALG? We also use RTSP streams, so should I keep this on? If I disable it, what will the impact be?

     

    2. With regard to Screen Options are there any recommendations or best practices around what to set and their respective values?



  • 2.  RE: ALG Settings and Screen Options
    Best Answer

     
    Posted 08-30-2018 15:21

    It is probably best to turn off ALG that you don't use but I would not say there is any real resource issue with leaving the default settings active.  And if you don't know what is running through the firewall the defaults are there for a reason, they assist in making sure strange connectivity problems don't occur.

     

    As far as the DNS ALG is concerned, you only really need this when destination nat is used and inside computers get DNS records with the public ip address instead of the internal one.  The ALG automatically performs the DNS doctoring so no hair pin nat is needed for reachability.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dns-algs.html

     

    Other overviews of alg can be seen here.

    https://www.juniper.net/documentation/en_US/junos10.4/topics/concept/alg-security-types-understanding.html

     

    Mostly what ALG do is automatically allow connections associated with a primary connection permitted by a policy.  These are usually using random ports and in the opposite zone direction of the original connection. 

     

    For example ftp policy allows the outbound connection to the ftp server on port 21.  The server and the client agree on a random port for the file download but this comes from the server to the client, the opposite direction untrust to trust.  This would normally be a new session and denied.  But the FTP ALG knows this is part of the previously permitted session and allows the connection.  Other ALG are similar and just a simple way to permit what would otherwise require a new policy be created to allow through the firewall.

     

    For screen options there is a basic starter example configuration in the documentation here.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-introduction-to-adp.html#id-example-configuring-multiple-screening-options

     

     



  • 3.  RE: ALG Settings and Screen Options

     
    Posted 08-31-2018 09:48

    Thank you Steve, all clear, I know where I am now. I will 'play' around with ALGs at my own peril!