How to: Bypass an ALG by creating an "application ignore" or "alg ignore" policy

[J-Series] [SRX] How to: Bypass an ALG by creating an "application ignore" or "alg ignore" policy

 [KB15492] Show KB Properties

---

Summary:

How do you disable an ALG on a policy (J Series and SRX Series devices).

Problem or Goal:

Customer's application is not compatible with the ALG (Application Layer Gateway), so packets may be dropped.

Solution:

This article applies to:

• Junos 10.0 and above

Setting the option "application ignore" is used to disable an ALG, when default ALG behavior is not compatible with a customer's application. When "application ignore" is configured on a security policy, matched traffic will be evaluated by the policy without using the ALG.

1. Create a custom application with application-protocol ignore:

   [email protected]# show applications
application ftp-AppIgnore {
     application-protocol ignore;
     protocol tcp;
     destination-port 21;
}

Alternatively; you can configure "alg ignore". 
   Note: With this method, you will need to make modification inside a new term as shown below, but both methods accomplish the same thing.
   

   [email protected]# show applications
   application ftp-AppIgnore {
        term term-1 {
             alg ignore;
             protocol tcp;
             destination-port 21;
        }
   }

2. Create policy using that custom application

   [email protected]# show security policies from-zone untrust to-zone trust
policy test {
    match {
        source-address any;
        destination-address any;
        application ftp-AppIgnore;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }
}

3. Confirm the policy is not associated with any ALG after commit.  Look for 'ALG: ignore' in the following output.

   [email protected]# show security dynamic-policies from-zone untrust to-zone trust detail
Policy: test, action-type: permit, State: enabled, Index: 4006
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
any: 0.0.0.0/0
Application: ftp-AppIgnore
IP protocol: tcp, ALG: ignore, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Session log: at-create, at-close



When "'application ignore" is not configured on a policy, the output of the security policy will look as follows:


[email protected]# show security policies from-zone untrust to-zone trust
policy test2 {
    match {
        source-address any;
        destination-address any;
        application junos-ftp;
    }
    then {
        permit;
    }
}


A pre-defined application is associated with the ALG by default. Look for 'ALG: ftp' in the following example:


[email protected]# show security dynamic-policies from-zone untrust to-zone trust detail
Policy: test2, action-type: permit, State: enabled, Index: 4007
Sequence number: 2
From zone: untrust, To zone: trust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
any: 0.0.0.0/0
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]

Purpose:

Configuration

Related Links: