Screen OS

Hi Guys,

I would like to find out what exactly is ALG and why would I configure it?

I know you can enable the ALG options by going into Security->ALG and then when configuring the policy you would have to choose previosuly enabled option from "Application" drop-down box.

The question is why would I configure it if I can do the same using "Service" drop-down box?

How that works in conjuction to "Service" box? What will happen if I have "Service" set up to FTP and "Application" to SIP for example?

ALG allows the automatic "pin-holing" of traffic that matches the primary application traffic port that is already permitted.  Some applications create a connection on a specific port, then after this connection is created use a random other port or ports to proceed with the communications.

A standard firewall rule permits traffic on the specified port (service in screenOS).  The random port cannot be known until the connection happens.  You could open up the entire range of possible random ports for this second connection, but the ALG creates a permisison for the connection on the fly that is specific just to these two hosts.

A common example is ftp.  The connection is established then they negociate a high port for the transfer.  When the server reponds on that port the firewall must permit the connection back into the client.  The ALG performs that task.

For the standard port usage you don't need to configure anything other than turning on the ALG.  For none standard ports you may need to select the ALG as the "application" in your policy.

To turn off the ALG for a policy you select "application" of "none" "ignore".

Hi Steve,

Thanks for you reply.

All my policies are based on the "Service" port while "Application" is set to "none" which means from what you wrote the ALG will be ignored but I have never had any complaints in regards that something is no permited including simple rule for "FTP" Service (again while "Application" is set no " None").

What is the difference between "Application" set to "none" vs "ignore"?

Thanks,

Dom

Sorry about that, I meant application set to "ignore" will override the ALG.

None means use the standard port of the ALG.

Selecting an ALG applies the ALG on a non-standard port.

Hi Steve,

Again, thanks a lot.

So when the "Application" is set to "ignore" the ALG won't be in use which means only the ports configured in the "Services" will be permitted.

But still not noo sure what is the difference between "Application" being set up to "none" or "ftp" for example.

If I have the policy for FTP configured with "Service" set to "ftp" which means only port 21 will be allowed what will be a difference if the "Application" is set to "none" and how will it work if the "Application" is set to "ftp" as well (see attached).

When the pinholes will be created? With "Application" set to "none" or "ftp"??

Sorry steve but just trying to understand how it works as I have never been using it before.

when using the ftp service on the standard port there is no difference between applicaiton none and application ftp.

Typically you use application ftp when a server administrator has configured the ftp server to use a non-standard port for the initial connection.  Then using application ftp tells screenOS to use the ALG for this service on tcp 2000 for example.

Hi Steve,

So If I would like to use ALG (pinholes to be opened for non standard ftp ports) do I still have to set the "Service" to ftp or leave it set to "any" and just change the "Application" to "ftp"?

Thanks,

Dom

You would set the service to ftp and can leave the application set to none.

If the server has a custom port, you create a custom service for this tcp port and give it a custom name i.e. ftp-2020 set to tcp port 2020.

Then your policy sets the service to ftp-2020 and the application to ftp.

Hi Steve,

If the server has cutom port of 2020 and I create a new service ftp-2020 (set to tcp port 2020) and then in my policy set the "Service" to "ftp-2020" what would happen if I leave the "Application" set to "none"?

Sorry Steve but still can not understand how it works.

Is there any official document with some examples which explains everything?  

Sorry, I'm not clear.

Using a custom port for ftp you would NOT use the alg if the application is set to "none".  The ALG by default will ONLY recognize the standard service.

This is one reason that the application feild exists.  So that you can create custom services and assign the ALG to work on custom ports.

the other reason that the applicaiton field exists is to turn OFF the ALG on a per policy basis.  This can be necessary with a different application is using an ALG standard port so that when the ALG kicks in the traffic is mis-handled.  You can turn off the ALG per policy and leave it on for all the rest of the traffic by using application "ignore".

Hi Steve,

Do you have any exaples so I can understand it better?

Lets say I have created my custom ftp service "ftp_2020" and policy with "Service" - "ftp_2020" and "Application"-"none".

When the traffic is coming on port TCP 2020 it will be permitted but if the connection will try to use different port (TCP 2030) it won't because the ALG doesn't recognize it as FTP, is that correct?

Lets say I have created my custom frp service "ftp_2020" and policy with "Service" - "ftp_2020" and "Application"-"ftp".

When the traffic is coming on port TCP 2020 it will be permitted and if the connection will try to use different port (TCP 2030) it will also be permitted as I told to do so, by setting "Application"-"ftp", in the policy configuration that this is my FTP traffic.

Am I correct here or missing something?

Here is how the ftp connection works and what the ALG does.

Standard FTP

The client makes the connection to the server on fixed port 21. 

The policy on the firewall is for service ftp and application of none.  Since this is the standard port the ALG will be active.

The server tells the client that it will use port 1024 for the data channel and opens this connection from server to the client.

The ALG sees that the client and server are commmunicating in ftp and permits this specific connection from the server to the client.  This occurs even though the port is different than the original connection on port 21 and that the direction is the opposite.  The ALG knows that this is how active FTP is suppose to work.

Custom Port FTP

The server is configured to run an ftp server using port 2020 as the control port instead of port 21.

The client initiates an ftp session on the custom port of 2020.

The policy on the firewall is set to the custom service of tcp 2020 and the application is set to ftp.

The server tells the client it will use port 5001 for the data channel and initiates a connection from the server to the client on this port.

The ALG knows this server to client communications is part of the ftp session and permits this.  If the application was set to none, the ALG will NOT permit the return connection because the ALG only recognizes port 21 as standard FTP, custom ports must be called to the ALG's attention for this to kick in and permit the traffic.

Thanks a lot Steve.

That makes a sense now.

Regards.,

Dom