https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/724#M566 <HTML><HEAD></HEAD><BODY><P>PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer <A href="https://live.paloaltonetworks.com/docs/DOC-6214">How to Disable SIP ALG</A>. </P><P></P><P>For prior PAN-OS versions, SIP-ALG can be disabled by configuring an application override policy which will prevent the PA firewall from doing any Layer 7 inspection. So, PA firewall would not open any pinholes. For App override setup, refer <A href="https://live.paloaltonetworks.com/docs/DOC-1071">How to Create an Application Override Policy</A></P></BODY></HTML> Wed, 23 Apr 2014 08:14:55 GMT gchandrasekaran 2014-04-23T08:14:55Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/718#M560 <HTML><HEAD></HEAD><BODY><P>In the ASA you can disable SIP Policy Inspection. In the Junipers I think you disable the ALG. How do I do this in the Palo Alto ?</P><P></P><P>Firewalls often try to apply rules around the way protocols work which can cause them to break. I dont want SIP to be inspected or held against some EEE Group Standard. This might be breaking some video conference traffic for us.</P><P></P><P>Anyone know how to disable this ?</P><P></P><P>Thanks,</P><P>Justin</P></BODY></HTML> Wed, 01 Feb 2012 13:18:39 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/718#M560 jhickey 2012-02-01T13:18:39Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/719#M561 <HTML><HEAD></HEAD><BODY><P>That is because both Cisco and Juniper have some sort of "proxy lite" feature regarding SIP in order to replace the contents of the packets (so not a true proxy) which often f**k things up rather than fix stuff (the main purpose is to aid use of SIP etc through NAT because SIP will use the data within the payload of where to connect instead of looking at the ip-header).</P><P></P><P>PaloAlto (as far as I know) doesnt do this so you can either setup your rules such as:</P><P></P><P>srczone: voipclients</P><P>srcip: somerange</P><P>srcport: &gt;1023</P><P>dstzone: voipservers</P><P>dstip: someotherrange</P><P>dstport: tcp5060, udp5060 (or whatever you use)</P><P>appid: sip</P><P>action: allow</P><P></P><P>or just set the appid to "any" if you doesnt care of which traffic will flow for the particular ports.</P></BODY></HTML> Wed, 01 Feb 2012 16:14:48 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/719#M561 mikand 2012-02-01T16:14:48Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/720#M562 <HTML><HEAD></HEAD><BODY><P>Palo Alto can translate IP in SDP header. Basically to avoid any "ALG" type functionality, you can create an app-override rule for your SIP traffic. That will avoid any layer2 inspection of the SIP traffic. Just be sure that you do have security rules for all the necessary protocols and ports to allow the traffic.</P><P></P><P>-Richard </P></BODY></HTML> Thu, 02 Feb 2012 04:47:51 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/720#M562 Retired Member 2012-02-02T04:47:51Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/721#M563 <HTML><HEAD></HEAD><BODY><P><SPAN>I have exact the same problem as discribed in </SPAN><A href="https://live.paloaltonetworks.com/message/7760">https://live.paloaltonetworks.com/message/7760</A><SPAN> (but that treat is locked for posting).</SPAN></P><P>Our VoIP provider insists that we disable all "SIP-ALG, SIP-Helper or the like".</P><P>I understand that application override can be use to work around this, but can you be more specific on how to accomplish this?</P><P></P><P>Thanks, Johannes.</P></BODY></HTML> Tue, 24 Apr 2012 14:19:15 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/721#M563 PAkeeper 2012-04-24T14:19:15Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/722#M564 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>di u resolve your problem if you resolved </P><P>how can you do that</P><P></P><P></P><P>thanks alot</P></BODY></HTML> Mon, 25 Jun 2012 00:51:36 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/722#M564 lildeniz 2012-06-25T00:51:36Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/723#M565 <HTML><HEAD></HEAD><BODY><P>PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer <A href="https://live.paloaltonetworks.com/docs/DOC-6214">How to Disable SIP ALG</A>. </P></BODY></HTML> Wed, 23 Apr 2014 08:09:31 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/723#M565 gchandrasekaran 2014-04-23T08:09:31Z https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/724#M566 <HTML><HEAD></HEAD><BODY><P>PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer <A href="https://live.paloaltonetworks.com/docs/DOC-6214">How to Disable SIP ALG</A>. </P><P></P><P>For prior PAN-OS versions, SIP-ALG can be disabled by configuring an application override policy which will prevent the PA firewall from doing any Layer 7 inspection. So, PA firewall would not open any pinholes. For App override setup, refer <A href="https://live.paloaltonetworks.com/docs/DOC-1071">How to Create an Application Override Policy</A></P></BODY></HTML> Wed, 23 Apr 2014 08:14:55 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-inspection-for-sip/m-p/724#M566 gchandrasekaran 2014-04-23T08:14:55Z