Configuring Algs - HP 7102dl - ProCurve Secure Router Configuration Manual

ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network

Configuring ALGs

4-18
Configuring ALGs
ALGs monitor sessions on the OSI Application Layer. An ALG helps a firewall
read packets and filter them for the particular commands or information
relating to the ALG's application. Each application has a distinct ALG that
deals with its special concerns. Some applications must have an ALG to
function in the presence of a firewall.
For example, the application may exhibit behavior that the firewall considers
suspicious. Without an ALG, the firewall would drop suspicious packets and
the application would not work. Some applications receive data on one port
and send it out on another. An ALG monitors this process so that you do not
have to configure the firewall to allow traffic on both ports. Figure 4-6
illustrates how the FTP ALG allows traffic to the FTP server on port 20 and
from the server on port 21.
FTP client
Figure 4-6. FTP ALG
The Secure Router OS firewall supports ALGs for the following applications:
File Transfer Protocol (FTP)
H.323
Session Initiation Protocol (SIP)
Point-to-Point Tunneling Protocol (PPTP)
If your WAN uses any of these protocols and the router's firewall is enabled,
the corresponding ALG must also be enabled.
The FTP, SIP, and PPTP ALGs are enabled by default. You can also disable
them. In addition, you can enable the H.323 ALG, which is disabled by default.
20
Router
21
FTP
server