An application proxy (sometimes called an application-level gateway) often acts as a middle layer. These proxy applications are run on top of the firewall. The users connect the gateway using applications like Telnet, FTP, or web connect. Users are prompted to enter resources they want to access and are also asked to validate their credentials. After successful authentication, the gateway will establish a connection to a remote application and relay data between the application and end user. Since application gateways are application aware, it becomes very easy from a gateway management point of view. In a typical firewall, either ports will be closed or open, and policies are defined by the administrator.
In the following diagram, you can see that Tom will be authenticated against the rule configured as ALG firewall, which allows Tom to access an application running on 20.20.20.1 . All other connections will be denied:
One of the biggest limitations of an application gateway is that it requires a separate application for each network service. Consequently, it is mandatory to check which services are supported with the firewall vendor. Another disadvantage of ALG is an additional processing overhead on each connection.