About Proxy Policies and ALGs

All WatchGuard policies are important tools for network security, whether they are packet filter policies, proxy policies, or application layer gateways (ALGs). A packet filter examines each packet’s IP and TCP/UDP header, a proxy monitors and scans whole connections, and an ALG provides transparent connection management in addition to proxy functionality. Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.

A proxy policy or ALG opens each packet in sequence, removes the network layer header, and examines the packet’s payload. A proxy then rewrites the network information and sends the packet to its destination, while an ALG restores the original network information and forwards the packet. As a result, a proxy or ALG can find forbidden or malicious content hidden or embedded in the data payload. For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content, such as executable programs or files written in scripting languages. Attackers frequently use these methods to send computer viruses. A proxy or ALG can enforce a policy that forbids these content types, while a packet filter cannot detect the unauthorized content in the packet’s data payload.

If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to network traffic.

Proxy Configuration

Like packet filters, proxy policies include common options to manage network traffic, including traffic management and scheduling features. However, proxy policies also include settings that are related to the specified network protocol. These settings are configured with rulesets, or groups of options that match a specified action. For example, you can configure rulesets to deny traffic from individual users or devices, or allow VoIP (Voice over IP) traffic that matches the codecs you want. When you have set all of the configuration options in a proxy, you can save that set of options as a user-defined proxy action and use it with other proxies.

Fireware XTM supports these proxy policies and ALGs:

About the DNS-Proxy About the POP3-Proxy
About the FTP-Proxy About the SIP-ALG
About the H.323-ALG About the SMTP-Proxy
About the HTTP-Proxy About the TCP-UDP-Proxy
About the HTTPS-Proxy  

See Also

About Policies

Add a Proxy Policy to Your Configuration

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base