TMS zl Management and Configuration Guide ST.1.1.100430
4-98
Firewall
Port Triggers
Caution An explicit firewall access policy that denies the ports that an ALG attempts
to open dynamically can interfere with the ALG. Therefore, when you create
access policies you should simply permit the ports that you want to open
permanently. Then allow the TMS zl Module to deny all other traffic implicitly,
which is the module’s automatic behavior. Do not create an explicit policy to
deny all other traffic.
Port Triggers
The firewall in the TMS zl Module can handle some dynamic connections with
the ALGs, but for applications not supported by the ALGs, you must configure
port trigger policies.
A port trigger policy is activated or “triggered” when a connection is initiated
that meets these criteria:
■ It is for the application (protocol/port) specified in the policy.
■ It is from a source permitted by the policy.
The port trigger then opens the range of ports specified within the policy. Note
that these ports are opened only for traffic to and from the specific source that
triggered the policy.
The policy can open ports for traffic both inbound to the source and outbound
from the source. This is necessary because the dynamically negotiated port
can be in the same direction or in the opposite direction of the initial connec-
tion. You can configure inbound and outbound ports separately because some
applications use different ports for each traffic direction.
Note A port trigger resembles an ALG with firewall support in that it allows
applications that use dynamically selected ports to run through the firewall.
However, a port trigger does not provide all the functionality of an ALG:
■ The port trigger opens the entire range of configured ports for each
permitted session while an ALG opens only the port that is actually in use.
■ A port trigger does not provide specific protections for the application.
■ A port trigger does not handle issues that are introduced by performing
NAT on the application’s traffic.