For ALG TFTP/FTP or strict TCP traffic that egresses one security zone and ingresses a different security zone, every packet must be forwarded to the CSM for processing. To control this traffic to the CSM, the packets are extracted from the data path and queued into either network security data queues or access security data queues. These queues each contain two further queues: expedited (EXP) queues and best-effort (BE) queues. On the 7705 SAR-8 Shelf V2 and 7705 SAR-18, expedited and best-effort queues are created per adapter card.
For further details about zone configuration and firewall session creation, refer to the 7705 SAR Router Configuration Guide, ‟Configuring Security Parameters”.