Table of contents
Ⅰ Introduction to ALG
1. Introduction to ALG
Concept introduction
Session: records the interaction information between transport layer packets, including source IP address, source port, destination IP address, destination port, protocol type and VPN instance to which the source/destination IP address belongs. Messages with the same exchange information belong to one flow.
Normally, one session corresponds to two streams, forward and reverse, and one stream corresponds to one session in one direction.
Dynamic channel: When application layer protocol packets carry address information, the address information will be used to establish a dynamic channel. Subsequent connections that match the address information will use the established dynamic channel to transmit data.
Technology ALG technology implementation principle
ALG technology, combined with the NAT feature, can support the address translation function of the message payload; combined with the ASPF feature, it can support the dynamic channel detection function and the status detection function of the application layer.
For multi-channel application protocols, the IP message data payload carries address information. In a NAT networking environment, in order to ensure the correct establishment of subsequent dynamic channels, the addresses in these data payloads also need to be translated.
The function of ALG is to convert the address in the payload.
The following is the ALG application for FTP
Schematic diagram of ALG processing of FTP message payload
As shown in the figure, the host on the private network needs to access the FTP server on the public network. The NAT device is configured with a mapping from the private network address 192.168.0.10 to the public network address 50.10.10.10 to implement NAT translation of the addresses to support private network hosts accessing the public network. In this network, if there is no ALG processing of the message payload, after the Port message sent by the private network host reaches the server, the server cannot recognize the private network address in the message load, and therefore cannot establish a correct data connection. . The following is the FTP connection establishment process using ALG.
(1) First, a control connection is successfully established between the private network host and the public network FTP server through the TCP three-way handshake.
(2) After the control connection is established, the private network host sends a Port message to the FTP server. The message carries the destination address and port of the data connection specified by the private network host, which is used to notify the server to use this address and port for data connection with itself. .
(3) When the Port packet passes through a NAT device that supports the ALG feature, the private network address and port in the packet payload will be converted into the corresponding public network address and port. That is, the device converts the private network address 192.168.0.10 in the received Port message payload into
Public network address 50.10.10.10, port 1024 is converted to 5000.
(4) After receiving the Port message, the FTP server on the public network parses its content and initiates a data connection to the private network host. The destination address of the data connection is 50.10.10.10 and the port is 5000. Since the destination address is a public network address, subsequent
The data connection can be successfully established, allowing the private network host to access the public network server.
2. Supported protocols
Supports ALG configuration of the following 20 protocols.
| serial number |
name |
port |
protocol |
| 1 |
pptp |
1723 |
6 |
| 2 |
h323 |
1720 |
6 |
| 3 |
ras |
1719 |
17 |
| 4 |
tns |
1521 |
6 |
| 5 |
tftp |
69 |
17 |
| 6 |
rtsp |
554 |
6 |
| 7 |
rtsp |
7070 |
6 |
| 8 |
rtsp |
8554 |
6 |
| 9 |
ftp |
21 |
6 |
| 10 |
mms |
1863 |
6 |
| 11 |
pmap |
111 |
6 |
| 12 |
pmap |
111 |
17 |
| 13 |
sip |
5060 |
17 |
| 14 |
dns-udp |
53 |
17 |
| 15 |
rsh |
514 |
6 |
| 16 |
rsh |
512 |
6 |
| 17 |
daughter |
135 |
6 |
| 18 |
daughter |
135 |
17 |
| 19 |
mgcp |
2427 |
17 |
| 20 |
mgcp |
2727 |
17 |
3. Configure ALG
In an environment with ALG application, if you find that the ALG application is abnormal, you need to check whether the ALG application has been configured as follows, and check whether the protocol name and port are correct.
show system session-helper
View existing ALG configuration
config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
..........more
edit 14
set name dns-udp
set port 53
set protocol 17
next
............. more
edit 20
set name mgcp
set port 2727
set protocol 17
next
end
There are 20 in total in the default configuration. To delete the ALG of DNS, the command is as follows:
config system session-helper
length 14
end
4. Add non-standard port ALG
If there are ALG-related services on non-standard ports in the network, you need to manually add them, such as the FTP service on TCP port 2021.
config system session-helper
edit 21 //Do not duplicate the current network ID, you can also edit 0, the system will automatically number it
set name ftp
set port 2021 //Port used by FTP protocol
set protocol 6 // 6 TCP protocol, 17UDP protocol
next
Ⅱ VOIP
1. Networking requirements
A company uses a voice system based on the SIP protocol. SIP phones are used within the enterprise, and the SIP sever is located on a node outside the firewall.
The particularity of the SIP protocol determines that it needs to be ALG processed by the firewall to prevent problems caused by firewall policies such as failure to dial or single-pass.
2. Network topology
3. Configuration points
1. Basic network configuration
2. Configure VOIP policy
3. Mobile strategy (optional)
4. Configure SIP port (optional)
4. Operation steps
1. Basic network configuration
Refer to the Typical Functions of Routing Mode>>Single-line Internet Configuration section.
2. Configure VOIP policy
(1) Define address object
Page: Firewall--Address--Address
(2) Define VOIP strategy
Page: Firewall--Policy--Policy
Enable the UTM function, choose to enable VOIP, and select the default configuration file.
3. Mobile strategy (optional)
Move the policy to the appropriate location and ensure it is enforced:
4. Configure SIP port (optional)
Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses other ports for SIP sessions, you can use the following command to configure the SIP ALG to listen on other TCP, UDP, or SSL ports. For example, change the TCP port to 5064, the UDP port to 5065, and the SSL port to 5066.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port 5064
RG-WALL (settings) #set sip-udp-port 5065
RG-WALL (settings) #set sip-ssl-port 5066
RG-WALL (settings) #end
The SIP ALG can also be configured to use two different TCP ports and two different UDP ports to listen for SIP sessions. For example, if you receive SIP TCP traffic through ports 5060 and 5064 and UDP traffic through ports 5061 and 5065, you can enter the following command to receive SIP traffic through all these ports:
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port 5060 5064
RG-WALL (settings) #set sip-udp-port 5061 5065
RG-WALL (settings) #end
5. Verification effect
Use a SIP phone for testing.
6. Precautions
Q: Why should VOIP enable UTM function?
Answer: The session helper of the system itself also supports some functions of voip alg, but the functions are simple and the applicable scenarios are very simple. As voip scenarios become more and more complex, voip profile is currently used.
The ALg function of voip has been made into a separate UTM function. In addition to the very complete ALG function, it can also provide security protection for VOIP.
Ⅲ VOIP destination mapping
1. Networking requirements
A company uses a voice system based on the SIP protocol. SIP phones are used within the enterprise, and SIP sever100.1.1.2 is located on a node in the firewall server area. It needs to be mapped to the internal network 192.168.1.2 through mapping.
The particularity of the SIP protocol determines that it needs to be ALG processed by the firewall to prevent problems caused by firewall policies such as failure to dial or single-pass.
2. Network topology
3. Configuration points
1. Basic network configuration
2. Configure VOIP policy
3. Mobile strategy (optional)
4. Configure SIP port (optional)
4. Operation steps
1. Basic network configuration
Refer to the routing mode - single-line Internet configuration section.
2. Configure VOIP policy
(1) Define virtual IP
Page: Firewall--Virtual IP--Virtual IP
(2) Define VOIP strategy
Page: Firewall--Policy--Policy
Enable the UTM function, choose to enable VOIP, and select the default configuration file.
3. Configure SIP port (optional)
Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If the SIP network uses other ports for SIP sessions, you can configure the SIP ALG to use them using the following command
Listen on other TCP, UDP or SSL ports. For example, change the TCP port to 5064, the UDP port to 5065, and the SSL port to 5066.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port 5064
RG-WALL (settings) #set sip-udp-port 5065
RG-WALL (settings) #set sip-ssl-port 5066
RG-WALL (settings) #end
The SIP ALG can also be configured to use two different TCP ports and two different UDP ports to listen for SIP sessions. For example, if SIP TCP traffic is received over ports 5060 and 5064 and SIP TCP traffic is received over ports 5061 and 5065
UDP traffic, you can enter the following command to receive SIP traffic through all these ports:
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port 5060 5064
RG-WALL (settings) #set sip-udp-port 5061 5065
RG-WALL (settings) #end
5. Verification effect
Use a SIP phone for testing.