USG FLEX H Series User’s Guide
155
CHAPTER 10
ALG
10.1 ALG Overview
Application Layer Gateway (ALG) allows File Transfer Protocol (FTP) to operate properly through the
Zyxel Device’s NAT.
The ALG feature is only needed for traffic that goes through the Zyxel Device’s NAT.
10.1.1 What You Need to Know
Application Layer Gateway (ALG), NAT and Security Policy
The Zyxel Device can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly
applications (such as FTP) to operate properly through the Zyxel Device’s NAT and security policy. The
Zyxel Device dynamically creates an implicit NAT session and security policy session for the application’s
traffic from the WAN to the LAN. The ALG on the Zyxel Device supports all of the Zyxel Device’s NAT
mapping types.
ALG
Some applications cannot operate through NAT (are NAT unfriendly) because they embed IP addresses
and port numbers in their packets’ data payload. The Zyxel Device examines and uses IP address and
port number information embedded in the FTP traffic’s data stream. When a device behind the Zyxel
Device uses an application for which the Zyxel Device has FTP pass through enabled, the Zyxel Device
translates the device’s private IP address inside the data stream to a public IP address. It also records
session port numbers and allows the related sessions to go through the security policy so the
application’s traffic can come in from the WAN to the LAN.
ALG and Trunks
If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to
active, you can configure routing policies to specify which interface the ALG-managed traffic uses.
You could also have a trunk with one interface set to active and a second interface set to passive. The
Zyxel Device does not automatically change ALG-managed connections to the second (passive)
interface when the active interface’s connection goes down. When the active interface’s connection
fails, the client needs to re-initialize the connection through the second interface (that was set to
passive) in order to have the connection go through the second interface.
To Next Page
Loading...
