Configuring H.323 ALG (NSM Procedure)

The H.323 standard is a legacy VoIP protocol defined by the ITU-T. H.323 consists of a suite of protocols (such as H.225.0 and H.245) that are used for call signaling and call control for VoIP.

To configure H.323 ALG:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure H.323 ALG.
  3. Click the Configuration tab. In the configuration tree, select Security > Alg > H323.
  4. Add or modify settings as specified in Table 221.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 221: H.323 ALG Configuration Details



Your Action

Endpoint Registration Timeout

Controls how long entries remain in the NAT table.

Enter a value between 10 and 50,000 seconds.

Media Source Port Any

Allows media traffic from any port number. By default, this feature is disabled. When disabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Select this option to enable traffic from any port number.


Limits the rate per second at which RAS requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter the value for the message flood gatekeeper threshold.

Permit NAT Applied

Specifies how unidentified H.323 messages are handled by the device. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select this option to permit unidentified H.323 messages. By default, unknown (unsupported) messages are dropped.

Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Select this option.

Related Documentation