Some applications use multi-channels for data transmission, such as the commonly used FTP. In such a condition the control channel and data channel are separated. Security appliance under strict security policy control may set strict limits on each data channel, for example, only allow FTP data from internal network to external network to transfer on the well-known port TCP 21. Once in the FTP active mode, if a FTP server in the public network tries to initiate a connection to a random port of the host in the internal network, security appliance will reject the connection and the FTP server will not work properly in such a condition. This requires security appliance to be intelligent enough to properly handle the randomness of legitimate applications under strict security policies. In FTP instances, by analyzing the transmission information of the FTP control channel, security appliance will be aware that the server and the client reached an agreement, and open up a temporary communication channel when the server takes the initiative to connect to a port of the client, thus assuring the proper operation of FTP.
System adopts the strictest NAT mode. Some VoIP applications may work improperly after NAT due to the change of IP address and port number. The ALG mechanism can ensure the normal communication of VoIP applications after the NAT. Therefore, the ALG supports the following functions:
System allows you to enable or disable ALG for different applications. System supports ALG for the following applications: FTP, HTTP, MSRPC, RSH, RTSP, SQLNetV2, SUNRPC, TFTP, SIP, Q.931, RAS and H323. You can not only enable or disable ALG for applications, but also specify H323's session timeout.
To enable ALG, take the following steps: