About Proxy Policies and ALGs
All WatchGuard policies are important tools for network security, whether they are packet filter policies, proxy policies, or application layer gateways (ALGs). A packet filter examines each packet’s IP and TCP/UDP header, a proxy monitors and scans whole connections, and an ALG provides transparent connection management in addition to proxy functionality. Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use content inspection to make sure that connections are secure.
A proxy policy or ALG opens each packet in sequence, removes the network layer header, and examines the packet’s payload. A proxy then rewrites the network information and sends the packet to its destination, while an ALG restores the original network information and forwards the packet. As a result, a proxy or ALG can find forbidden or malicious content hidden or embedded in the data payload. For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content, such as executable programs or files written in scripting languages. Attackers frequently use these methods to send computer viruses. A proxy or ALG can enforce a policy that forbids these content types, while a packet filter cannot detect the unauthorized content in the packet’s data payload.
If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to network traffic.
Like packet filters, proxy policies include common options to manage network traffic, including traffic management and scheduling features. However, proxy policies also include settings that are related to the specified network protocol. These settings are configured with rulesets, or groups of options that match a specified action. For example, you can configure rulesets to deny traffic from individual users or devices, or allow VoIP (Voice over IP) traffic that matches the codecs you want. When you have set all of the configuration options in a proxy, you can save that set of options as a user-defined proxy action and use it with other proxies.
Firebox supports proxy policies for many common protocols, including DNS, FTP, H.323, HTTP, HTTPS, POP3, SIP, SMTP, and TCP-UDP. For more information on a proxy policy, see the section for that policy.
Firebox supports these proxy policies and ALGs:
|About the DNS-Proxy||About the HTTPS-Proxy|
|About the FTP-Proxy||About the POP3-Proxy|
|About the Explicit Proxy||About the SIP-ALG|
|About the H.323-ALG||About the SMTP-Proxy|
|About the HTTP-Proxy||About the TCP-UDP-Proxy|