The best practice for customers using IPSEC/GRE tunnels is to send all ports and protocols through the tunnels. However, there are some protocols that currently cannot be properly handled by the Zscaler nodes. These protocols require an “Application Layer Gateway” feature in order to be properly handled by a firewall.
What is the Application Layer Gateway feature?
Some protocols use separate data and communication channels for the transmission. The communication channel can contain information about ephemeral TCP/UDP ports used by the data channel and information about client/server IP address. In general, the Application Layer Gateway (ALG) allows the network device to check the application payload in order to convert the network layer address information, synchronize between multiple streams/sessions of data between two hosts exchanging data or recognize application-specific commands and offer granular security controls over them. The ALG feature can be used for multiple protocols like MSRPC, SUNRPC, SQL, SIP, RTSP, H323, MGCP, SCCP, FTP etc.
Here is an example of how the ALG feature handles SIP/H323 protocol:
SIP/H323 protocol requires special handling when passing through a Stateful Packet Inspection (SPI) firewall. Firewalls need ALG to handle SIP/H323 protocols. When the phone starts the call, it makes a connection to the PBX server on UDP port 5060. This is used as the control connection to exchange the audio connection ports between the phone and PBX. The SPI firewall needs to intercept this connection and learn the audio exchange ports/IP addresses and open the inbound and outbound ports dynamically. This is handled by the ALG feature.
More information about the ALG can be found in the articles below:
How Zscaler handles the traffic which requires the ALG feature?
Currently, Zscaler Cloud Firewall supports the ALG feature for the following two protocols:
The ALG support for other protocols is in our road-map, but currently, protocols for which the ALG feature is not implemented on the Zscaler cloud firewall (like Active FTP, SIP or VOIP) should be bypassed from Zscaler.