https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1670#M1231 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Installing a palo on network with VCSExpressway (cisco ToIP) module.</P><P>After reading other discussion (<A _jive_internal="true" href="https://live.paloaltonetworks.com/message/7757#7757">https://live.paloaltonetworks.com/message/7757#7757</A>, <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/12132#12132">https://live.paloaltonetworks.com/message/12132#12132</A>, , for a "full" compatibility between palo and VCS, we have to create app override for disabling the app L7 PA's analyse (for NAT reason). The Cisco argue is our VCS know perfectly H323 and SIP, more than your fw which is just a FW ...</P><P></P><P>Does anybody have feedback about this archietecture ? what is for you the best practice, disbaling L7 on palo or disabling NAT on VCS ?</P><P></P><P>If you have create App overide please can you explain which rule you have create.</P><P></P><P>Thx for your help</P><P></P><P>V.</P></BODY></HTML> Thu, 19 Sep 2013 09:30:33 GMT VinceM 2013-09-19T09:30:33Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1670#M1231 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Installing a palo on network with VCSExpressway (cisco ToIP) module.</P><P>After reading other discussion (<A _jive_internal="true" href="https://live.paloaltonetworks.com/message/7757#7757">https://live.paloaltonetworks.com/message/7757#7757</A>, <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/12132#12132">https://live.paloaltonetworks.com/message/12132#12132</A>, , for a "full" compatibility between palo and VCS, we have to create app override for disabling the app L7 PA's analyse (for NAT reason). The Cisco argue is our VCS know perfectly H323 and SIP, more than your fw which is just a FW ...</P><P></P><P>Does anybody have feedback about this archietecture ? what is for you the best practice, disbaling L7 on palo or disabling NAT on VCS ?</P><P></P><P>If you have create App overide please can you explain which rule you have create.</P><P></P><P>Thx for your help</P><P></P><P>V.</P></BODY></HTML> Thu, 19 Sep 2013 09:30:33 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1670#M1231 VinceM 2013-09-19T09:30:33Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1671#M1232 <HTML><HEAD></HEAD><BODY><P>Personally I would go for disabling NAT on the VCS to keep the L7 functionality of your PA.</P><P></P><P>Otherwise you can just place a switch with an ACL that allows certain ports towards your VCS unit which would be far cheaper than having a real FW such as PA to do the same (which is the case if you disable L7 on the PA via app override).</P><P></P><P>But it also depends on in which order you have connected the devices and such (which flow the packets will take).</P></BODY></HTML> Sun, 22 Sep 2013 10:41:15 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1671#M1232 mikand 2013-09-22T10:41:15Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1672#M1233 <HTML><HEAD></HEAD><BODY><P>One question on this. If you have the firewall policies configured to allow the SIP traffic just based on ports/services and not based on the application of 'SIP' will you still need an override policy? If the rule is based on strictly ports/services, will the SIP traffic still be analyzed and require an override? </P><P></P><P>We can see in the logs that it is identified as SIP but the policy is written utilizing only the desired ports. </P><P></P><P>thanks</P></BODY></HTML> Thu, 10 Apr 2014 21:41:45 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-and-vcs-gateway-h323-sip/m-p/1672#M1233 ttanzi 2014-04-10T21:41:45Z