https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-alg-application-level-gateway-sip-dissable-just-for-a/m-p/520049#M532 <P>Hello to All,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>From what I read about ALG (<SPAN class="ILfuVd"><SPAN class="hgKElc">Application Level Gateway</SPAN></SPAN>) functions on the Palo Alto Firewalls this function if needed is disabled globaly for the SIP default application or with application overide policy but this will stop the SIP signature matches.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyaCAE&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyaCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Is there a way to dissable the SIP ALG&nbsp; function not globally and not and app overide policy? Maybe it is better to create a custom ALG is the option "<STRONG>Continue scanning for other Applications</STRONG>"&nbsp; but if the SIP ALG disabled globally will the "<STRONG>Continue scanning for other Applications</STRONG>"&nbsp; work as how is this different than the real ALG functons in the firewall ?</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK</A> </P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Also I think that custom ports can't be open on the firewall with custom application sifnatures but I could be wrong.</P> Wed, 02 Nov 2022 19:06:39 GMT nikoolayy1 2022-11-02T19:06:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-alg-application-level-gateway-sip-dissable-just-for-a/m-p/520049#M532 <P>Hello to All,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>From what I read about ALG (<SPAN class="ILfuVd"><SPAN class="hgKElc">Application Level Gateway</SPAN></SPAN>) functions on the Palo Alto Firewalls this function if needed is disabled globaly for the SIP default application or with application overide policy but this will stop the SIP signature matches.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyaCAE&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyaCAE&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Is there a way to dissable the SIP ALG&nbsp; function not globally and not and app overide policy? Maybe it is better to create a custom ALG is the option "<STRONG>Continue scanning for other Applications</STRONG>"&nbsp; but if the SIP ALG disabled globally will the "<STRONG>Continue scanning for other Applications</STRONG>"&nbsp; work as how is this different than the real ALG functons in the firewall ?</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK</A> </P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Also I think that custom ports can't be open on the firewall with custom application sifnatures but I could be wrong.</P> Wed, 02 Nov 2022 19:06:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-alg-application-level-gateway-sip-dissable-just-for-a/m-p/520049#M532 nikoolayy1 2022-11-02T19:06:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-alg-application-level-gateway-sip-dissable-just-for-a/m-p/520483#M553 <P>I am starting to thing that redirecting a specific traffic to a firewall that is with ALG dissabled could be the best way. With Prisma Access it will be harder as then different tenants will be needed&nbsp; (there can't be more than one device group connected to a Prisma Access tenant) and tenant&nbsp; to tenant routing seems like a nightmare and this is why I opened another question just to check it <A href="https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-routing-between-tenants/m-p/520317" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-routing-between-tenants/m-p/520317</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The option "<STRONG>Continue scanning for other Applications</STRONG>" seems nice in some cases but not this one as from what I think two custom application id's need to be created and you need match something in the packet as the Control Channel App ID can't tell the Data Channel App id which dynamic port needs to be opened like the true ALG functions do and opening all ports with a port range in the Custom App ID Advanced settings is a little risky.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If someone has more knowedge about ALG functios on Palo Alto please share it with me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 07 Nov 2022 09:51:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-alg-application-level-gateway-sip-dissable-just-for-a/m-p/520483#M553 nikoolayy1 2022-11-07T09:51:06Z