Juniper ScreenOS firewall: Solve unknown network connection problem by disabling Application scanning

Case: A remote DNS client need to acceess a DNS server at home site.  The network connection path acrosses a Juniper firewall (ScreenOS 6.2).  Although policy rule has been setup to allow the connection.  Rule logging also shows that connection is successful, the DNS client cannot receive correct respond from DNS server.

After some research on Internet, an article points out the problem is Application Layer Gateway (ALG), a.k.a Layer 7 scanning.  By disabling AKG scanning, the problem is solved. 
ALG can be disabled in two places:
At each rule:
Add Application = IGNORE in GUI. image
If you use console, you can set the policy like this:
set policy id 100 application ignore (reference at
Disable all ALG
ALG can be disabled individually at GUI menu.  It is under Security – ALG
In console, you can issue command:
unset alg dns enable
To query the alg status, use command:
get alg
Timeout of service
Someone say it is about timeout setting.  If you agree, you can tune the timeout parameter at GUI at below screen: Policy – Policy Elements – Services – Predefined

Notes: I have also encountered similar problem on Oracle SQL Net connection via Netscreen.  The solution is to turn off ALG SQL.


Popular Posts