ZyWALL 5/35/70 Series User’s Guide

CH A P T E R 29

ALG Screen

This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL.

29.1 ALG Introduction

The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.

Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses IP address and port number information embedded in the data stream. When a device behind the ZyWALL uses an application for which the ZyWALL has ALG service enabled, the ZyWALL translates the device’s private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application’s traffic to come in from the WAN to the LAN.

29.1.1 ALG and NAT

The ZyWALL dynamically creates an implicit NAT session for the application’s traffic from the WAN to the LAN.

The ALG on the ZyWALL supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One.

29.1.2 ALG and the Firewall

The ZyWALL uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the session’s traffic to go through in the direction that the ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through.

29.1.3 ALG and Multiple WAN

When the ZyWALL has two WAN ports and uses the second highest priority WAN port as a back up, traffic cannot pass through when the primary WAN port connection fails. The ZyWALL does not automatically change the connection to the secondary WAN port.

Chapter 29 ALG Screen

462