TMS zl Management and Configuration Guide ST.1.1.100226
4-90
Firewall
Application-Level Gateways (ALGs)
As you can see in Table 4-12 on page 4-88, most of the ALGs on the TMS zl
Module provide firewall support.
ALG NAT Support. NAT can interfere with applications that embed IP infor-
mation within the application data. Because NAT changes IP addresses (and
sometimes ports) in the IP header, the IP information within the application
data is no longer valid, and the application fails to function correctly.
An ALG that provides NAT support solves this problem by modifying the
application data to match the alteration performed by NAT. Several ALGs on
the TMS zl Module provide NAT support.
Application Filtering. A few TMS zl Module ALGs provide filtering that is
specific to a particular application. For example, the RPC ALG can filter
packets according to their program number.
ALG Descriptions
The following section lists the ALGs in alphabetical order by CLI name and
explains how each ALG functions.
ftp
The FTP ALG:
■ interprets the PORT command from the client and allows the server to
make a connection back to the client for data transfer by
• extracting the IP address and port from the PORT command
• opening up a new association so that the data connection can be
established successfully. Then the server makes a data connection to
the client for data transfer.
■ supports both active and passive mode
■ interprets the PASV reply from the server in response to a PASV request
from the client by
• extracting the IP address and port from the PASV command
• opening up a new connection for the data connection to be estab-
lished successfully. Then the client makes a data connection to the
server for data transfer.
■ performs the following functionality:
• application-control filters — If application control support is
enabled in the firewall, and the FTP application-control record is
attached to the policy that allowed the FTP connection to go through,