ScreenOS Firewalls (NOT SRX)
Reply
Visitor
StuartG
Posts: 5
Registered: ‎03-03-2009
0
Accepted Solution

Netscreen 1000 FTP control and data

I have been looking on documentation for clarification but cannot find any info. So my question is:-

 

service timeout for tcp is set to 30 minutes of inactivity,

 

Because the control port is only used at the beginning and end of the FTP connection does the netscreen tie the two control and data ports together to know not to close the control port down after 30 minutes if the data port is still transffering data?

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: Netscreen 1000 FTP control and data

No there's an alg (application layer gateway) defiened for FTP so the data sessions are connected to the control session by this alg.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
StuartG
Posts: 5
Registered: ‎03-03-2009
0

Re: Netscreen 1000 FTP control and data

Thanks for the info, is there a way to view the alg, preferably from cli?
Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: Netscreen 1000 FTP control and data

[ Edited ]

You can see enabled / disabled by get alg (suprise huh :smileyhappy:) but there's nothing to set for this ALG.

Message Edited by Screenie on 03-03-2009 01:50 PM
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
StuartG
Posts: 5
Registered: ‎03-03-2009
0

Re: Netscreen 1000 FTP control and data

Thanks i tried the get alg under the vsys no output. When i do the get alg on the global it shows the following:-

 

get alg
MSRPC    ALG : enabled
SUNRPC   ALG : enabled
SQL      ALG : enabled
SIP      ALG : enabled
RTSP     ALG : enabled
H323     ALG : enabled
MGCP     ALG : enabled
SCCP     ALG : enabled

 

So not sure how the above is used for FTP?
 

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: Netscreen 1000 FTP control and data

what about a set alg ?

 

my SSG5 (ScreenOS 6.1) shows:

 

instructor-> set ALG ?
appleichat           Apple iChat ALG
dns                  DNS ALG configuration
ftp                  FTP ALG configuration
h323                 H.323 ALG information
http                 HTTP ALG configuration
mgcp                 MGCP ALG
msrpc                attach ms-rpc alg
pptp                 PPTP ALG configuration
real                 REAL ALG configuration
rsh                  RSH ALG configuration
rtsp                 attach rtsp rpc alg
sccp                 SCCP ALG information
sctp                 SCTP ALG information
sip                  SIP ALG
sql                  SQL ALG information
sunrpc               attach sun-rpc alg
talk                 TALK ALG configuration
tftp                 TFTP ALG configuration
xing                 XING ALG configuration
instructor-> set ALG FTP ?
enable               enable FTP ALG
instructor->

I'm not aware of any hardware restriction for ALG's.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
StuartG
Posts: 5
Registered: ‎03-03-2009
0

Re: Netscreen 1000 FTP control and data

When i do the set command it gives me the same options as the get

 

set ALG ?
h323                 H.323 ALG information
mgcp                 MGCP ALG
msrpc                attach ms-rpc alg
rtsp                 attach rtsp rpc alg
sccp                 SCCP ALG information
sip                  SIP ALG
sql                  SQL ALG information
sunrpc               attach sun-rpc alg

 

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: Netscreen 1000 FTP control and data

Probably a version difference. Any how I can't imagen control will time-out when data stream is still there.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
StuartG
Posts: 5
Registered: ‎03-03-2009
0

Re: Netscreen 1000 FTP control and data

Thanks for your help with this. We have tested with a ftp connection beyond 30 minutes and it does not close the connection down. Although It would be nice to see either some output on the netscreen or documented info from Juniper.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Netscreen 1000 FTP control and data

Hi

 

We are working on getting a KB out soon. Please ref 

   KB13509 for that in about a week or so and it should be out.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.