Reply
Highlighted
L3 Networker

Disable Inspection for Sip ?

In the ASA you can disable SIP Policy Inspection. In the Junipers I think you disable the ALG. How do I do this in the Palo Alto ?

Firewalls often try to apply rules around the way protocols work which can cause them to break. I dont want SIP to be inspected or held against some EEE Group Standard. This might be breaking some video conference traffic for us.

Anyone know how to disable this ?

Thanks,

Justin

Highlighted
L6 Presenter

Re: Disable Inspection for Sip ?

That is because both Cisco and Juniper have some sort of "proxy lite" feature regarding SIP in order to replace the contents of the packets (so not a true proxy) which often f**k things up rather than fix stuff (the main purpose is to aid use of SIP etc through NAT because SIP will use the data within the payload of where to connect instead of looking at the ip-header).

PaloAlto (as far as I know) doesnt do this so you can either setup your rules such as:

srczone: voipclients

srcip: somerange

srcport: >1023

dstzone: voipservers

dstip: someotherrange

dstport: tcp5060, udp5060 (or whatever you use)

appid: sip

action: allow

or just set the appid to "any" if you doesnt care of which traffic will flow for the particular ports.

Highlighted
L5 Sessionator

Re: Disable Inspection for Sip ?

Palo Alto can translate IP in SDP header. Basically to avoid any "ALG" type functionality, you can create an app-override rule for your SIP traffic. That will avoid any layer2 inspection of the SIP traffic. Just be sure that you do have security rules for all the necessary protocols and ports to allow the traffic.

-Richard

Highlighted
L0 Member

Re: Disable Inspection for Sip ?

I have exact the same problem as discribed in https://live.paloaltonetworks.com/message/7760 (but that treat is locked for posting).

Our VoIP provider insists that we disable all "SIP-ALG, SIP-Helper or the like".

I understand that application override can be use to work around this, but can you be more specific on how to accomplish this?

Thanks, Johannes.

Highlighted
L3 Networker

Re: Disable Inspection for Sip ?

Hi

di u resolve your problem if you resolved

how can you do that

thanks alot

Highlighted
L2 Linker

Re: Disable Inspection for Sip ?

PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer How to Disable SIP ALG.

Highlighted
L2 Linker

Re: Disable Inspection for Sip ?

PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer How to Disable SIP ALG.

For prior PAN-OS versions, SIP-ALG can be disabled by configuring an application override policy which will prevent the PA firewall from doing any Layer 7 inspection. So, PA firewall would not open any pinholes. For App override setup, refer How to Create an Application Override Policy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!