How to Disable SIP ALG

by rvanderveken on ‎11-15-2013 04:34 AM - edited on ‎12-19-2016 01:19 PM by (38,768 Views)

Overview

The ability to disable SIP ALG was introduced in PAN-OS 6.0.

SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG.

Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.

 

Steps

Inside of the WebGUI

Disabling this feature will prevent the firewall from translating the payload.

  1. Go to Objects > Applications and perform a search for the SIP application, as shown below:
    Screen Shot 2013-12-17 at 08.30.56.png

  2. Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display.
  3. Click on Customize to bring up the settings dialog and check Disable ALG:
    Screen Shot 2013-11-15 at 13.19.40.png

 

On the CLI

Use the following command to disable the SIP ALG:

> configure
# set shared alg-override application sip alg-disabled yes|no

 

If issues still occur with SIP after disabling the ALG, testing can be performed setting up filters with packet captures and running the following CLI commands to gather additional information:

> debug dataplane packet-diag set:
log feature flow basic
log feature ctd basic

 

Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.

 

For more information seeHow to Create an Application Override

 

owner: rvanderveken

Comments
by gejack
on ‎02-18-2014 03:42 AM

I do not get this SIP ALG customization option on PA500 6.0.0 ?

by rvanderveken
on ‎02-27-2014 11:52 PM

Do you have superuser rights ? If you still are unable to change it using superuser rights, please open a ticket with TAC.

by JohnSilvia
on ‎03-27-2015 11:26 AM

You can't set this in Panorama - it's done on the local devices themselves.

by David_Jackson
on ‎01-11-2016 03:50 PM

To the best of my knowledge, Polycom is the ONLY system to use SIP ALG because they refuse to embrace STUN, the industry standard. If you're having phones report as SIP peers with their private/internal IP address instead of their external/public address, (for example, on an Asterisk PBX, Reports>Asterisk Info>Peers), either STUN needs to be turned on in the phones and SIP ALG turned off in the firewall, or the opposite, depending on whether or not you have Polycom phones. You'll never have both enabled at the same time.

by dwedin
on ‎06-05-2016 12:32 AM

It solved my issue with PA200 running 7.1.2 and IP Phone from Bahnhof. The phone used is a Siemens Gigaset C530 IP. Thanks!

by MMCiobanu
on ‎11-28-2016 10:49 AM

Is there a way to automate this to be applied on multiple firewalls at once? It cannot be done from Panorama.

by Infra_DKI
on ‎11-10-2017 05:27 AM

Very usefull.

That correct some issue with my CISCO VCS Control.

Ask Questions Get Answers Join the Live Community
Contributors