Juniper ScreenOS DNS Application Layer Gateway Madness

Juniper ScreenOS DNS Application Layer Gateway Madness

You have a custom application that performs DNS queries, but does not follow security best practices to at least randomize the source port of those queries. Business must go on, so you secure this connectivity via a site-to-site VPN. So, you need to make an exception to your Juniper ALG.

By default, DNS traffic, running on UDP port 53, is handled with the ALG (Application Layer Gateway) feature on the firewall. Therefore, a DNS session is aged out differently compared to a normal UDP session (Source: Juniper KB12312).  Let’s walk through how to implement a fix for this one outlier.

Solution in 5 Steps:

  1. Find the policy:
  2. Adjust the offending policy:
  3. Test and see the difference.
  4. Remember to save!
  5. Celebrate fault application workaround with coffee. ☕️

Request a Demo

Fill out the form below and we'll get in touch via email.
We look forward to talking to you!
Thank you! We'll be in touch.
Oops! Something went wrong while submitting the form.
Top ^