Technical Documentation

• Downloads
• Enabling/Disabling Application Layer Gateway Protocols Overview    

• Related Topics
• Configuring H.323 Settings
• Using Packet Flow Options
• Allocating Network Bandwidth Using Traffic Shaping Options

Enabling/Disabling Application Layer Gateway Protocols Overview

Application Layer Gateways (ALGs) manage specific protocols by intercepting traffic as it passes through the security device. After analyzing the traffic, the ALG allocates resources to permit the traffic to pass securely. By default, all ALGs are enabled on a security device. In situations where a security device is receiving an excessive amount of malicious or accidental traffic of a particular type, you might want to disable the associated ALG.

You can enable or disable the following ALG protocols:

• H.323 —Three ALGs handle specific tasks for H.323 traffic. To disable H.323 on the security device, you must disable the following ALGs:
  • H.245 —This ALG is a control signaling protocol used to exchange messages between H.323 endpoints.
  • Q.931 —This ALG is a Layer 3 protocol used for Integrated Services Digital Network (ISDN) call establishment, maintenance, and termination between H.323 endpoints.
  • RAS —The Registration, Admission, and Status (RAS) ALG is used to register, control admission, change bandwidth, check status, and perform disengage procedures between H.323 endpoints and gatekeepers.
• MSRPC —The Microsoft Remote Procedure Call (MS-RPC) ALG enables a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program’s universal unique identifier (UUID).
• RTSP —The Real-Time Streaming Protocol (RTSP) controls delivery of one or more synchronized streams of multimedia, such as audio and video.
• SIP —The Session Initiation Protocol (SIP) is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions (such as conferencing, telephony, or multimedia) over the Internet. SIP is used to distribute the session description, to negotiate and modify the parameters of an existing session, and to terminate a multimedia session.
• SQL — The SQL ALG handles SQL, a relational database management system.
• SUNRPC — The Sun Remote Procedure Call (SUNRPC) enables a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service’s program number and version number.
• MGCP — The Media Gateway Control Protocol (MGCP) is supported on security devices in Route, Transparent, and Network Address Translation (NAT) modes. MGCP is a text-based Application Layer protocol used for call setup and control. MGCP is based on a master-slave call control architecture. The media gateway controller (call agent) maintains call control intelligence, while the media gateways carry out instructions from the call agent.
• PPTP — The Point-to-Point Tunneling Protocol (PPTP) provides IP security at the Network Layer. PPTP consists of a control connection and a data tunnel. The control connection runs over TCP and helps in establishing and disconnecting calls, and the data tunnel handles encapsulated Point-to-Point Protocol (PPP) packets carried over IP.
• SCTP — The Stream Control Transmission Protocol (SCTP) is an IP transport protocol that exists at the same level as UDP and TCP. SCTP currently provides Transport Layer functions to Internet applications. It provides a reliable transport service that supports data transfer across the network, in sequence and without errors. You can configure the security device to perform stateful inspection on all SCTP traffic without performing deep inspection. If you enable stateful inspection of SCTP traffic, the SCTP ALG drops any anomalous SCTP packets.
• Apple-iChat Settings — The Apple iChat ALG provides support for iChat applications by opening pinholes that allow the text, audio, and video calls to pass through devices running ScreenOS 6.1 or later. When you enable the AppleiChat ALG functionality, the device opens pinholes for the configured call-answer-time to establish the iChat audio/video session. The call-answer-time is the duration of time for which the device opens the pinholes for establishing the iChat audio/video session. The default value for call-answer-time is 32 seconds. When this timer expires, the device closes the pinholes. The range for configuring the call-answer-time is 20 to 90 seconds. The iChat application fragments the packets it sends to the receiver based on the maximum segment size (MSS) of the receiver. The MSS value depends on the network configuration of the receiver. The fragmented packet is reassembled at the ALG for address translation. By default, the reassembly option is disabled.
• IPsec-NAT Settings — You can set the IPsec-NAT timeout to run ESP with a DIP pool. The default value is 30.