1. I have been advised to disable all ALG setttings for performance reasons, is this wise? Most of them don't ring a bell, but surely I need the DNS ALG? We also use RTSP streams, so should I keep this on? If I disable it, what will the impact be?
2. With regard to Screen Options are there any recommendations or best practices around what to set and their respective values?
It is probably best to turn off ALG that you don't use but I would not say there is any real resource issue with leaving the default settings active. And if you don't know what is running through the firewall the defaults are there for a reason, they assist in making sure strange connectivity problems don't occur.
As far as the DNS ALG is concerned, you only really need this when destination nat is used and inside computers get DNS records with the public ip address instead of the internal one. The ALG automatically performs the DNS doctoring so no hair pin nat is needed for reachability.
Other overviews of alg can be seen here.
Mostly what ALG do is automatically allow connections associated with a primary connection permitted by a policy. These are usually using random ports and in the opposite zone direction of the original connection.
For example ftp policy allows the outbound connection to the ftp server on port 21. The server and the client agree on a random port for the file download but this comes from the server to the client, the opposite direction untrust to trust. This would normally be a new session and denied. But the FTP ALG knows this is part of the previously permitted session and allows the connection. Other ALG are similar and just a simple way to permit what would otherwise require a new policy be created to allow through the firewall.
For screen options there is a basic starter example configuration in the documentation here.
Thank you Steve, all clear, I know where I am now. I will 'play' around with ALGs at my own peril!