ALG is a protocol which negotiates over a standard port (ALG Control) but then sends data over an agreed upon high number port (ALG Data). This port used for data transfer is different for every ALG connection, so it appears to be a nonstandard port from the perspective of the Uncommon Port Detector.

SSP 5.1.0 and earlier

With Uncommon Port Detector enabled and ALG flows occurring in the environment, the Uncommon Port Detector may raise events for these flows. These events can be seen in the Events page of the UI.

To correlate that these flows are from ALG traffic, the user must determine if the affected VM is using ALG protocol i their environment.

There are three options to mitigate this behavior:

1. Add the offending computes to the exclusion list, this will exclude them from all Uncommon Port detection, but will allow for the use of the detector on computes not using ALG protocol.
2. Disable the Uncommon Port Detector.
3. Upgrade SSP to version 5.1.1 or greater.