October 26, 2022
Application Level Gateway (ALG) is a component of a NAT router that understands an application protocol and, when packets of that protocol pass through, modifies them so that users behind the NAT can use the protocol.

How it works

ALG handles the dynamic firewall policies required by certain protocols, such as FTP. Many such protocols were designed without regard to security or other access controls, which can cause problems when implementing firewalls.

For example, FTP uses multiple sessions to facilitate file transfers – a primary command channel and secondary data channels for directory listings and file transfers. These data channels often go in the opposite direction to the primary command channel.

Because these data channels can connect to any port, it is almost impossible to create a static firewall policy that allows these data channels and still provide adequate protection.

FTP ALG automatically solves this problem by monitoring the FTP command channel, looking for FTP port commands that indicate which source and destination ports are being requested. ALG dynamically opens a specific combination of source and destination IP ports in the firewall policy that allows a session to be established. Once the session is complete, the gateway closes immediately.

FTP ALG also handles the special case when an FTP session passes through a NAT interface. In this case, the endpoints do not always realize that their addresses are being translated midstream. FTP port commands use IP addresses that are configured on endpoint interfaces, which in the case of a host behind a NAT firewall is usually unreachable from the Internet. ALG solves this problem at the application layer by replacing the internal IP with the address of the NAT interface.

The principle of ALG is similar to a proxy server, the gateway ensures that clients can use the protocol.

Examples of protocols that require ALG

  • PASV passes the client’s IP address and port number in the PORT command with ALG.
  • PPTP has no concept of “port number,” which creates problems with address translation to the outside world. ALG allows you to create more than one PPTP connection.
  • H.323 protocol. ALG consists of a set of H.225.0 and H.245 protocols to provide an AV session on any network.
  • ALG also works in file transfer protocols in some messengers, participates in the creation of game servers and helps to organize file exchange networks.
We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.