Enabling Algs (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Enabling ALGs (NSM Procedure)

28
Table 11: Blacklist Configuration Fields (continued)
Field Description
Protocol The source port and destination port are valid only when you have set
the protocol as UDP or TCP. Set this value to 0 to match any protocol.
Source IP Net Mask The range is 0-32. Set this field to 0 to match all source IP addresses.
Destination IP Mask The range is 0-32. Set this field to 0 to match all destination IP
addresses.
NOTE: A blacklist with 0 timeout will not expire.
Enabling ALGs (NSM Procedure) on page 28
Configuring Extranet Devices Details (NSM Procedure) on page 30
Configuring Network Settings Options and Descriptions on page 34
In ScreenOS 6.0, the following modifications were made to prevent high CPU utilization.
Some existing Application Layer Gateways (ALGs) are disabled by default on high-end
platforms (ISG1000, ISG2000, NetScreen 2000 line, and NetScreen line). The affected
ALGs are H.323, SIP, MGCP, SCCP, MSRPC, SunRPC, and SQL. ALGs included in
ScreenOS 6.1 are PAT for PPTP, SCTP, and Apple iChat. As of ScreenOS 6.3, the DNS
Inhibit AAAA (IPv6) ALG is supported but disabled by default.
ALGs included in ScreenOS 6.0 or later are enabled by default. They are FTP, DNS,
Real, Rlogin, RSH, TALK, TFTP, and XING.
For efficient CPU utilization, you can enable or disable the ALGs.
To enable or disable the ALGs:
In the NSM navigation tree, click Device Manager > Devices.
1.
Select a device or a model device
2.
Click the Edit icon to edit the device. The relevant device dialog box appears.
3.
In the device navigation tree, click Advanced > ALGs.
4.
ALGs are listed depending on the type of device you selected and the OS version.
5.
ALGs can be enabled or disabled by checking or clearing their check boxes. See Table
12 on page 29.
Copyright © 2010, Juniper Networks, Inc.