Application Level Gateways

The Palo Alto Networks firewall does not classify traffic by port and protocol; instead it identifies the application based on its unique properties and transaction characteristics using the App-ID technology. Some applications, however, require the firewall to dynamically open pinholes to establish the connection, determine the parameters for the session and negotiate the ports that will be used for the transfer of data; these applications use the application-layer payload to communicate the dynamic TCP or UDP ports on which the application opens data connections. For such applications, the firewall serves as an Application Level Gateway (ALG), and it opens a pinhole for a limited time and for exclusively transferring data or control traffic. The firewall also performs a NAT rewrite of the payload when necessary.
  • H.323 (H.225 and H.248) ALG is not supported in gatekeeper routed mode.
  • When the firewall serves as an ALG for the Session Initiation Protocol (SIP), by default it performs NAT on the payload and opens dynamic pinholes for media ports. In some cases, depending on the SIP applications in use in your environment, the SIP endpoints have NAT intelligence embedded in their clients. In such cases, you might need to disable the SIP ALG functionality to prevent the firewall from modifying the signaling sessions. When SIP ALG is disabled, if App-ID determines that a session is SIP, the payload is not translated and dynamic pinholes are not opened. See Disable the SIP Application-level Gateway (ALG).
The following table lists IPv4, NAT, IPv6, NPTv6 and NAT64 ALGs and indicates with a check mark whether the ALG supports each protocol (such as SIP).
App-ID
IPv4
NAT
IPv6
NPTv6
NAT64
SIP
green-check-mark.png
green-check-mark.png
green-check-mark.png
SCCP
green-check-mark.png
green-check-mark.png
green-check-mark.png
MGCP
green-check-mark.png
green-check-mark.png
FTP
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
RTSP
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
MySQL
green-check-mark.png
green-check-mark.png
Oracle/SQLNet/ TNS
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
RPC
green-check-mark.png
green-check-mark.png
RSH
green-check-mark.png
green-check-mark.png
UNIStim
green-check-mark.png
green-check-mark.png
H.225
green-check-mark.png
green-check-mark.png
H.248
green-check-mark.png
green-check-mark.png

Related Documentation