Juniper ScreenOS firewall: Solve unknown network connection problem by disabling Application scanning
Case: A remote DNS client need to acceess a DNS server at home site. The network connection path acrosses a Juniper firewall (ScreenOS 6.2). Although policy rule has been setup to allow the connection. Rule logging also shows that connection is successful, the DNS client cannot receive correct respond from DNS server.
After some research on Internet, an article points out the problem is Application Layer Gateway (ALG), a.k.a Layer 7 scanning. By disabling AKG scanning, the problem is solved.
ALG can be disabled in two places:
At each rule:Add Application = IGNORE in GUI.
If you use console, you can set the policy like this:
set policy id 100 application ignore (reference at kb.juniper.net)
Disable all ALGALG can be disabled individually at GUI menu. It is under Security – ALG
In console, you can issue command:
unset alg dns enable
To query the alg status, use command:
Timeout of serviceSomeone say it is about timeout setting. If you agree, you can tune the timeout parameter at GUI at below screen: Policy – Policy Elements – Services – Predefined
Notes: I have also encountered similar problem on Oracle SQL Net connection via Netscreen. The solution is to turn off ALG SQL.