Disable Inspection for Sip ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disable Inspection for Sip ?

L3 Networker

In the ASA you can disable SIP Policy Inspection. In the Junipers I think you disable the ALG. How do I do this in the Palo Alto ?

Firewalls often try to apply rules around the way protocols work which can cause them to break. I dont want SIP to be inspected or held against some EEE Group Standard. This might be breaking some video conference traffic for us.

Anyone know how to disable this ?

Thanks,

Justin

6 REPLIES 6

L6 Presenter

That is because both Cisco and Juniper have some sort of "proxy lite" feature regarding SIP in order to replace the contents of the packets (so not a true proxy) which often f**k things up rather than fix stuff (the main purpose is to aid use of SIP etc through NAT because SIP will use the data within the payload of where to connect instead of looking at the ip-header).

PaloAlto (as far as I know) doesnt do this so you can either setup your rules such as:

srczone: voipclients

srcip: somerange

srcport: >1023

dstzone: voipservers

dstip: someotherrange

dstport: tcp5060, udp5060 (or whatever you use)

appid: sip

action: allow

or just set the appid to "any" if you doesnt care of which traffic will flow for the particular ports.

Retired Member
Not applicable

Palo Alto can translate IP in SDP header. Basically to avoid any "ALG" type functionality, you can create an app-override rule for your SIP traffic. That will avoid any layer2 inspection of the SIP traffic. Just be sure that you do have security rules for all the necessary protocols and ports to allow the traffic.

-Richard

I have exact the same problem as discribed in https://live.paloaltonetworks.com/message/7760 (but that treat is locked for posting).

Our VoIP provider insists that we disable all "SIP-ALG, SIP-Helper or the like".

I understand that application override can be use to work around this, but can you be more specific on how to accomplish this?

Thanks, Johannes.

Hi

di u resolve your problem if you resolved

how can you do that

thanks alot

L2 Linker

PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer How to Disable SIP ALG.

PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer How to Disable SIP ALG.

For prior PAN-OS versions, SIP-ALG can be disabled by configuring an application override policy which will prevent the PA firewall from doing any Layer 7 inspection. So, PA firewall would not open any pinholes. For App override setup, refer How to Create an Application Override Policy

  • 9307 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!