ALGs

Security Gateway Discussions
Post Reply
Shrike
Posts: 1
Joined: 09 Nov 2017, 16:40

ALGs

Post by Shrike » 09 Nov 2017, 17:16

I just figured out that since firmware version 11.0x (where x may be 3, i just can't remember now) the way ALGs are used is changed.
I updated from 11.0 to 11.20 and then 12 in the last weeks, and I was seeing lately a lot of users opening pages that were blacklisted and I couldn't understand how. so i started investigating and found out this news.

to make it short, all my ip_policy rules started to ignore the ALGs i have been using for years.
to make them work now, i have to use ip_rules instead. Is that right?
why? :D


But with ip_rules i can't set to allow unknown protocols over http and i have seen that software like Skype and teamviewer don't work anymore without this option, at least without setting a specific port (as they try to go on 80 and 443 but with not standard http protocols) and that is extremely annoying.

how do you manage this?

i'm forced to make 2 rules for every action now, one ip_policy for http/https web rules, with web_control active for sites blacklist and webcontent filtering. And one ip_rule with connected alg for all other ports/protocols.




sorry for the bad english

mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Re: ALGs

Post by mape » 10 Nov 2017, 07:28

Hello,

If you want to use the ALG objects, you have to use the IP Rules.

If you want to use IP Polices but still have the ALG Features, you have to use the Profiles.
Profiles on IP Polices are the equivalent to using ALGs on IP Rules.

What you need to make sure if using Profiles, is that the selected Service has the "Protocol" selected.


BR
Mattias P.

Post Reply