TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

391

392

393

394

395

396

397

398

399

400

4-90

Firewall

Application-Level Gateways (ALGs)

■ The control port enables the TMS zl Module to recognize sessions that

need to be handled by the ALG.

For example, when the module detects that a packet destined to TCP port

21 has opened a session, it knows to apply the FTP ALG to that session.

Port maps help the TMS zl Module link ports to applications. In Table 4-

12, a section mark (§) means that a port map is configured for that service.

The control ports on the module’s ALGs are the standard ports for these

applications. If you are using a non-standard port for one of thee applications,

you must remember to complete both of these tasks:

■ Configure firewall access policies that specify the correct port for the

service. If you are using service objects, you might edit a preconfigured

service object with the correct port number for your environment, or you

might create a new service object.

■ Configure a port map that associates your non-standard port with the

application in question.

ALG Types

The ALGs provide several types of support:

■ Firewall

■ NAT

■ Application filtering

These types of support are described in the section below. An ALG often also

provides other specialized support for the specific application with which it

is associated. You can read more about each ALG in “ALG Descriptions” on

page 4-91.

ALG Firewall Support. Some applications have difficulty running through

a firewall because they use dynamic ports. In other words, a client initiates

the session by contacting the well-known control port for the application.

Then the client and server negotiate a dynamic port on which the session

actually runs. Without the ALG, the firewall might permit the packets that

initiate the session but block the packets on the dynamically-selected port. To

allow the application to run, you would need to open all of the ports that the

application might choose. However, opening such a large number of ports is

not only complicated—worse, it creates a security risk.

An ALG with firewall support solves the problem by monitoring each session

established using the control port associated with its application. The ALG

opens the specific dynamic port selected for that session and keeps this port

open only for the duration of the session.