Summary:
- Junos 10.0 and above
Setting the option "application ignore" is used to disable an ALG, when default ALG behavior is not compatible with a customer's application. When "application ignore" is configured on a security policy, matched traffic will be evaluated by the policy without using the ALG.
- Create a custom application with application-protocol ignore:
[email protected]# show applications
Alternatively; you can configure "alg ignore".
application ftp-AppIgnore {
application-protocol ignore;
protocol tcp;
destination-port 21;
}
Note: With this method, you will need to make modification inside a new term as shown below, but both methods accomplish the same thing.
[email protected]# show applications application ftp-AppIgnore { term term-1 { alg ignore; protocol tcp; destination-port 21; } }
- Create policy using that custom application
[email protected]# show security policies from-zone untrust to-zone trust
policy test {
match {
source-address any;
destination-address any;
application ftp-AppIgnore;
}
then {
permit;
log {
session-init;
session-close;
}
}
} - Confirm the policy is not associated with any ALG after commit. Look for 'ALG: ignore' in the following output.
[email protected]# show security dynamic-policies from-zone untrust to-zone trust detail
Policy: test, action-type: permit, State: enabled, Index: 4006
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
any: 0.0.0.0/0
Application: ftp-AppIgnore
IP protocol: tcp, ALG: ignore, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Session log: at-create, at-close
When "'application ignore" is not configured on a policy, the output of the security policy will look as follows:
[email protected]# show security policies from-zone untrust to-zone trust
policy test2 {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
}
}
A pre-defined application is associated with the ALG by default. Look for 'ALG: ftp' in the following example: [email protected]# show security dynamic-policies from-zone untrust to-zone trust detail
Policy: test2, action-type: permit, State: enabled, Index: 4007
Sequence number: 2
From zone: untrust, To zone: trust
Source addresses:
any: 0.0.0.0/0
Destination addresses:
any: 0.0.0.0/0
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]