F3215-HP Load Balancing Module Network Management Configuration Guide-6PW101
136
Configuring ALG
This feature can be configured only at the CLI.
Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
Usually NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols may contain IP
address or port information, which may cause problems if not translated. For example, an FTP
application involves both data connection and control connection, and data connection establishment
dynamically depends on the payload information of the control connection.
ALG can work with NAT to implement the following functions:
• Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
• Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.
• Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:
• DNS
• FTP
• H.323, including RAS, H.225, and H.245
• ICMP
• ILS
• MSN
• NBT
• PPTP
• QQ
• RTSP
• SCCP
• SIP
• SQLNET, a language in Oracle
• TFTP
When using ALG to process H.323 protocol packets, they cannot be forwarded at Layer 2 because the
Layer 2 header is removed from the H.323 fragmented packets in the cache.
ALG process
The following example describes the FTP operation of an ALG-enabled device.