How it works
ALG handles the dynamic firewall policies required by certain protocols, such as FTP. Many such protocols were designed without regard to security or other access controls, which can cause problems when implementing firewalls.
For example, FTP uses multiple sessions to facilitate file transfers – a primary command channel and secondary data channels for directory listings and file transfers. These data channels often go in the opposite direction to the primary command channel.
FTP ALG automatically solves this problem by monitoring the FTP command channel, looking for FTP port commands that indicate which source and destination ports are being requested. ALG dynamically opens a specific combination of source and destination IP ports in the firewall policy that allows a session to be established. Once the session is complete, the gateway closes immediately.
FTP ALG also handles the special case when an FTP session passes through a NAT interface. In this case, the endpoints do not always realize that their addresses are being translated midstream. FTP port commands use IP addresses that are configured on endpoint interfaces, which in the case of a host behind a NAT firewall is usually unreachable from the Internet. ALG solves this problem at the application layer by replacing the internal IP with the address of the NAT interface.
Examples of protocols that require ALG
- PASV passes the client’s IP address and port number in the PORT command with ALG.
- PPTP has no concept of “port number,” which creates problems with address translation to the outside world. ALG allows you to create more than one PPTP connection.
- H.323 protocol. ALG consists of a set of H.225.0 and H.245 protocols to provide an AV session on any network.
- ALG also works in file transfer protocols in some messengers, participates in the creation of game servers and helps to organize file exchange networks.