troubleshooting:application_problems [IG Manual]

====== Application Support Problems ======

Some applications and protocols you currently use may require some sort of support to be able to work seamlessly behind the firewall. 
If you have trouble making your applications work behind the firewall it is likely that you have to do some change of the configuration in the security profile (**High**, **Low** or **AltConf**) you are using.

The Internet Gate firewall works like a barrier to protect your computer or private network. 
Generally, applications that are initiated from the inside LAN are considered to be less "dangerous" than application attempts that are reaching the Internet Gate from the outside (WAN). 
Consequently, the security profile **High** (and **AltConf**) allows a few applications ("surf", e-mail) to be used from the inside going out, but none at all from the outside. 
The profile **Low** is a bit less strict as it allows //all// applications (using TCP and UDP) started from the inside but still none from the outside. Thus, despite its name, **Low** is still a fairly safe profile.

These are the quite tight settings by factory, and they may be changed as the user opens up "holes" in the firewall, typically port numbers that allow applications to be initiated from the inside, and possibly also servers on the LAN to be accessed from the outside. 
It is good policy to stick to the more strict **High** or **AltConf** profiles, adapting these profiles to ones needs and keep the **Low** as a more open profile that can be switched to temporarily when troubleshooting or when trying to run an application that does not work using **High**. 
Switching between security profiles is quick and easy, using the ''ALT'' frontpanel key.

:!: Opening up the firewall should be done with care.

If you have problems running a application or service behind the firewall:

  - Check if the Internet Gate supports the application or service that you try to run through the firewall. Click here for a list of supported applications. Alternatively, simply browse to the scurity profile page and check if there is a checkbox that corresponds to the application.
  - If not in the list of supported applications, (nor suitable checkbox/fields found on the security profile page), and the application is started from the inside, there may just be a question of one or more TCP/UDP //ports// that needs to be opened up. If so, you could try the following steps:
    - Switch to security level Lo that allows all outgoing traffic
    - Does the application work? If not, it is not just a question of opening any ports from the inside. Consult the application documentation and web resources, or the product support. If it works in **Low**:
      - Use the firewall log, set it in the mode **Show rejected packets**. This is done on the Log configuration page.
      - Try the application again, and soon after, browse to the Firewall log page.
      - Look for packets that are red-marked ''DENY'' and that seems to relate to your application's attempt. Read the port number in the **Dest.** column of the log, and also the protocol name in the **Proto/Type** column (TCP or UDP).
      - Go to the [[web_gui:security_profile#Applications from inside|security profile]] page for the profile you want to use (**High** or **AltConf**) and write the port number in the **Other TCP ports** (or **Other UDP ports**) field under **Applications from inside**.
  - Make sure the Internet Gate supports the application or service that you try to run through the firewall. Click here for a list of supported applications. If your application is not supported, click here for instructions how to manually add support for an application.
  - Make sure support for the application is enabled in the security profile you currently use. Click here for instructions.
  - Check if any new firmware has been released that might have added support for your application