Understanding ASPF/ALG

Understanding ASPF

Application Specific Packet Filter (ASPF), also called stateful packet filtering, can automatically detect application-layer information of certain packets and create access rules based on application-layer information (generate a server map).

For example, for multi-channel protocols (such as FTP, H.323, and SIP), the address and port of a data channel need to be negotiated in a control channel, and then the data channel can be established based on the negotiation result. The administrator cannot predict the address and port of the data channel, in that they are dynamically negotiated. Therefore, it is impossible for the administrator to configure full-fledged and accurate security policies. To ensure the proper establishment of the data channel, all ports need to be opened, which brings the risk of being attacked to the server or client.

After ASPF is enabled, the FW automatically generates a server map based on the address and port information carried in the application layer of the negotiation packet, permitting the subsequent packet for establishing a data channel. This equals to automatically creating a refined security policy.

Understanding ALG

In NAT scenarios, the Application Level Gateway (ALG) function can automatically detect application-layer information of certain packets, generate corresponding access rules based on the application-layer information (generate a server map), and automatically translate the IP address and port information in packet payloads.

Common NAT translates only the IP address and port in the packet header, but not application-layer data. In many application-layer protocols, the packet payload also contains the address or port information. If the data is not translated, the subsequent communication may be abnormal.

ALG enables you to create corresponding access rules based on the application-layer information and perform NAT on the application-layer data.

Comparison Between ASPF and ALG