diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i
new file mode 100644
index 000000000..f891225e0
--- /dev/null
+++ b/interface-definitions/include/conntrack-module-disable.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from conntrack-module-disable.xml.i -->
+<leafNode name="disable">
+  <properties>
+    <help>Disable connection tracking helper</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 07a2c401d..fa73df3db 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -1,285 +1,348 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="system">
     <children>
       <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py">
         <properties>
           <help>Connection Tracking Engine Options</help>
           <!-- Before NAT and conntrack-sync are configured -->
           <priority>218</priority>
         </properties>
         <children>
           <leafNode name="expect-table-size">
             <properties>
               <help>Size of connection tracking expect table</help>
               <valueHelp>
                 <format>u32:1-50000000</format>
                 <description>Number of entries allowed in connection tracking expect table</description>
               </valueHelp>
               <constraint>
                 <validator name="numeric" argument="--range 1-50000000"/>
               </constraint>
             </properties>
             <defaultValue>2048</defaultValue>
           </leafNode>
           <leafNode name="hash-size">
             <properties>
               <help>Hash size for connection tracking table</help>
               <valueHelp>
                 <format>u32:1-50000000</format>
                 <description>Size of hash to use for connection tracking table</description>
               </valueHelp>
               <constraint>
                 <validator name="numeric" argument="--range 1-50000000"/>
               </constraint>
             </properties>
             <defaultValue>32768</defaultValue>
           </leafNode>
+          <node name="modules">
+            <properties>
+              <help>Connection tracking modules settings</help>
+            </properties>
+            <children>
+              <node name="ftp">
+                <properties>
+                  <help>FTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="h323">
+                <properties>
+                  <help>H.323 connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="nfs">
+                <properties>
+                  <help>NFS connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="pptp">
+                <properties>
+                  <help>PPTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="sip">
+                <properties>
+                  <help>SIP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="sqlnet">
+                <properties>
+                  <help>SQLnet connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+              <node name="tftp">
+                <properties>
+                  <help>TFTP connection tracking settings</help>
+                </properties>
+                <children>
+                  #include <include/conntrack-module-disable.xml.i>
+                </children>
+              </node>
+            </children>
+          </node>
           <leafNode name="table-size">
             <properties>
               <help>Size of connection tracking table</help>
               <valueHelp>
                 <format>u32:1-50000000</format>
                 <description>Number of entries allowed in connection tracking table</description>
               </valueHelp>
               <constraint>
                 <validator name="numeric" argument="--range 1-50000000"/>
               </constraint>
             </properties>
             <defaultValue>262144</defaultValue>
           </leafNode>
           <node name="tcp">
             <properties>
               <help>TCP options</help>
             </properties>
             <children>
               <leafNode name="half-open-connections">
                 <properties>
                   <help>Maximum number of TCP half-open connections</help>
                   <valueHelp>
                     <format>u32:1-2147483647</format>
                     <description>Generic connection timeout in seconds</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-2147483647"/>
                   </constraint>
                 </properties>
                 <defaultValue>512</defaultValue>
               </leafNode>
               <leafNode name="loose">
                 <properties>
                   <help>Policy to track previously established connections</help>
                   <completionHelp>
                     <list>enable disable</list>
                   </completionHelp>
                   <valueHelp>
                     <format>enable</format>
                     <description>Allow tracking of previously established connections</description>
                   </valueHelp>
                   <valueHelp>
                     <format>disable</format>
                     <description>Do not allow tracking of previously established connections</description>
                   </valueHelp>
                   <constraint>
                     <regex>^(enable|disable)$</regex>
                   </constraint>
                 </properties>
                 <defaultValue>enable</defaultValue>
               </leafNode>
               <leafNode name="max-retrans">
                 <properties>
                   <help>TCP maximum retransmit attempts</help>
                   <valueHelp>
                     <format>u32:1-2147483647</format>
                     <description>Generic connection timeout in seconds</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-2147483647"/>
                   </constraint>
                 </properties>
                 <defaultValue>3</defaultValue>
               </leafNode>
             </children>
           </node>
           <node name="timeout">
             <properties>
               <help>Connection timeout options</help>
             </properties>
             <children>
               <leafNode name="icmp">
                 <properties>
                   <help>ICMP timeout in seconds</help>
                   <valueHelp>
                     <format>u32:1-21474836</format>
                     <description>ICMP timeout in seconds</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-21474836"/>
                   </constraint>
                 </properties>
                 <defaultValue>30</defaultValue>
               </leafNode>
               <leafNode name="other">
                 <properties>
                   <help>Generic connection timeout in seconds</help>
                   <valueHelp>
                     <format>u32:1-21474836</format>
                     <description>Generic connection timeout in seconds</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-21474836"/>
                   </constraint>
                 </properties>
                 <defaultValue>600</defaultValue>
               </leafNode>
               <node name="tcp">
                 <properties>
                   <help>TCP connection timeout options</help>
                 </properties>
                 <children>
                   <leafNode name="close-wait">
                     <properties>
                       <help>TCP CLOSE-WAIT timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP CLOSE-WAIT timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>60</defaultValue>
                   </leafNode>
                   <leafNode name="close">
                     <properties>
                       <help>TCP CLOSE timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP CLOSE timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>10</defaultValue>
                   </leafNode>
                   <leafNode name="established">
                     <properties>
                       <help>TCP ESTABLISHED timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP ESTABLISHED timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>432000</defaultValue>
                   </leafNode>
                   <leafNode name="fin-wait">
                     <properties>
                       <help>TCP FIN-WAIT timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP FIN-WAIT timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>120</defaultValue>
                   </leafNode>
                   <leafNode name="last-ack">
                     <properties>
                       <help>TCP LAST-ACK timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP LAST-ACK timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>30</defaultValue>
                   </leafNode>
                   <leafNode name="syn-recv">
                     <properties>
                       <help>TCP SYN-RECEIVED timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP SYN-RECEIVED timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>60</defaultValue>
                   </leafNode>
                   <leafNode name="syn-sent">
                     <properties>
                       <help>TCP SYN-SENT timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP SYN-SENT timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>120</defaultValue>
                   </leafNode>
                   <leafNode name="time-wait">
                     <properties>
                       <help>TCP TIME-WAIT timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>TCP TIME-WAIT timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>120</defaultValue>
                   </leafNode>
                 </children>
               </node>
               <node name="udp">
                 <properties>
                   <help>UDP timeout options</help>
                 </properties>
                 <children>
                   <leafNode name="other">
                     <properties>
                       <help>UDP generic timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>UDP generic timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>30</defaultValue>
                   </leafNode>
                   <leafNode name="stream">
                     <properties>
                       <help>UDP stream timeout in seconds</help>
                       <valueHelp>
                         <format>u32:1-21474836</format>
                         <description>UDP stream timeout in seconds</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 1-21474836"/>
                       </constraint>
                     </properties>
                     <defaultValue>180</defaultValue>
                   </leafNode>
                 </children>
               </node>
             </children>
           </node>
         </children>
       </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index e834231cf..4e6e39c0f 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -1,83 +1,140 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2021 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
 from sys import exit
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.util import cmd
 from vyos.util import run
 from vyos.util import process_named_running
+from vyos.util import dict_search
 from vyos.template import render
 from vyos.xml import defaults
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
 conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
 sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
 
+# Every ALG (Application Layer Gateway) consists of either a Kernel Object
+# also called a Kernel Module/Driver or some rules present in iptables
+module_map = {
+    'ftp' : {
+        'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'],
+    },
+    'h323' : {
+        'ko' : ['nf_nat_h323', 'nf_conntrack_h323'],
+    },
+    'nfs' : {
+        'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 111 --jump CT --helper rpc',
+                      'VYATTA_CT_HELPER --table raw --proto udp --dport 111 --jump CT --helper rpc'],
+    },
+    'pptp' : {
+        'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'],
+     },
+    'sip' : {
+        'ko' : ['nf_nat_sip', 'nf_conntrack_sip'],
+     },
+    'sqlnet' : {
+        'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 1521 --jump CT --helper tns',
+                      'VYATTA_CT_HELPER --table raw --proto tcp --dport 1525 --jump CT --helper tns',
+                      'VYATTA_CT_HELPER --table raw --proto tcp --dport 1536 --jump CT --helper tns'],
+    },
+    'tftp' : {
+        'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'],
+     },
+}
+
 def resync_conntrackd():
     tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py')
     if tmp > 0:
         print('ERROR: error restarting conntrackd!')
 
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
     base = ['system', 'conntrack']
 
     conntrack = conf.get_config_dict(base, key_mangling=('-', '_'),
                                      get_first_key=True)
 
     # We have gathered the dict representation of the CLI, but there are default
     # options which we need to update into the dictionary retrived.
     default_values = defaults(base)
     conntrack = dict_merge(default_values, conntrack)
 
     return conntrack
 
 def verify(conntrack):
     return None
 
 def generate(conntrack):
     render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack)
     render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack)
 
     return None
 
 def apply(conntrack):
+    # Depending on the enable/disable state of the ALG (Application Layer Gateway)
+    # modules we need to either insmod or rmmod the helpers.
+    for module, module_config in module_map.items():
+        if dict_search(f'modules.{module}.disable', conntrack) != None:
+            if 'ko' in module_config:
+                for mod in module_config['ko']:
+                    # Only remove the module if it's loaded
+                    if os.path.exists(f'/sys/module/{mod}'):
+                        cmd(f'rmmod {mod}')
+            if 'iptables' in module_config:
+                for rule in module_config['iptables']:
+                    print(f'iptables --delete {rule}')
+                    cmd(f'iptables --delete {rule}')
+        else:
+            if 'ko' in module_config:
+                for mod in module_config['ko']:
+                    cmd(f'modprobe {mod}')
+            if 'iptables' in module_config:
+                for rule in module_config['iptables']:
+                    # Only install iptables rule if it does not exist
+                    tmp = run(f'iptables --check {rule}')
+                    if tmp > 0:
+                        cmd(f'iptables --insert {rule}')
+
+
     if process_named_running('conntrackd'):
         # Reload conntrack-sync daemon to fetch new sysctl values
         resync_conntrackd()
 
     # We silently ignore all errors
     # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080
     cmd(f'sysctl -f {sysctl_file}')
 
     return None
 
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
     except ConfigError as e:
         print(e)
         exit(1)