Screen OS

I have been looking on documentation for clarification but cannot find any info. So my question is:-

 

service timeout for tcp is set to 30 minutes of inactivity,

 

Because the control port is only used at the beginning and end of the FTP connection does the netscreen tie the two control and data ports together to know not to close the control port down after 30 minutes if the data port is still transffering data?

No there's an alg (application layer gateway) defiened for FTP so the data sessions are connected to the control session by this alg.

Thanks for the info, is there a way to view the alg, preferably from cli?

You can see enabled / disabled by get alg (suprise huh ) but there's nothing to set for this ALG.

Thanks i tried the get alg under the vsys no output. When i do the get alg on the global it shows the following:-

 

get alg
MSRPC    ALG : enabled
SUNRPC   ALG : enabled
SQL      ALG : enabled
SIP      ALG : enabled
RTSP     ALG : enabled
H323     ALG : enabled
MGCP     ALG : enabled
SCCP     ALG : enabled

 

So not sure how the above is used for FTP?
 

what about a set alg ?

 

my SSG5 (ScreenOS 6.1) shows:

 

instructor-> set ALG ?
appleichat           Apple iChat ALG
dns                  DNS ALG configuration
ftp                  FTP ALG configuration
h323                 H.323 ALG information
http                 HTTP ALG configuration
mgcp                 MGCP ALG
msrpc                attach ms-rpc alg
pptp                 PPTP ALG configuration
real                 REAL ALG configuration
rsh                  RSH ALG configuration
rtsp                 attach rtsp rpc alg
sccp                 SCCP ALG information
sctp                 SCTP ALG information
sip                  SIP ALG
sql                  SQL ALG information
sunrpc               attach sun-rpc alg
talk                 TALK ALG configuration
tftp                 TFTP ALG configuration
xing                 XING ALG configuration
instructor-> set ALG FTP ?
enable               enable FTP ALG
instructor->

I'm not aware of any hardware restriction for ALG's.

When i do the set command it gives me the same options as the get

 

set ALG ?
h323                 H.323 ALG information
mgcp                 MGCP ALG
msrpc                attach ms-rpc alg
rtsp                 attach rtsp rpc alg
sccp                 SCCP ALG information
sip                  SIP ALG
sql                  SQL ALG information
sunrpc               attach sun-rpc alg

 

Probably a version difference. Any how I can't imagen control will time-out when data stream is still there.

Thanks for your help with this. We have tested with a ftp connection beyond 30 minutes and it does not close the connection down. Although It would be nice to see either some output on the netscreen or documented info from Juniper.

Hi

 

We are working on getting a KB out soon. Please ref 

   KB13509 for that in about a week or so and it should be out.