In the ASA you can disable SIP Policy Inspection. In the Junipers I think you disable the ALG. How do I do this in the Palo Alto ?
Firewalls often try to apply rules around the way protocols work which can cause them to break. I dont want SIP to be inspected or held against some EEE Group Standard. This might be breaking some video conference traffic for us.
Anyone know how to disable this ?
That is because both Cisco and Juniper have some sort of "proxy lite" feature regarding SIP in order to replace the contents of the packets (so not a true proxy) which often f**k things up rather than fix stuff (the main purpose is to aid use of SIP etc through NAT because SIP will use the data within the payload of where to connect instead of looking at the ip-header).
PaloAlto (as far as I know) doesnt do this so you can either setup your rules such as:
dstport: tcp5060, udp5060 (or whatever you use)
or just set the appid to "any" if you doesnt care of which traffic will flow for the particular ports.
Palo Alto can translate IP in SDP header. Basically to avoid any "ALG" type functionality, you can create an app-override rule for your SIP traffic. That will avoid any layer2 inspection of the SIP traffic. Just be sure that you do have security rules for all the necessary protocols and ports to allow the traffic.
I have exact the same problem as discribed in https://live.paloaltonetworks.com/message/7760 (but that treat is locked for posting).
Our VoIP provider insists that we disable all "SIP-ALG, SIP-Helper or the like".
I understand that application override can be use to work around this, but can you be more specific on how to accomplish this?
PAN-OS 6.0.x has a feature to disable SIP-ALG. Please refer How to Disable SIP ALG.
For prior PAN-OS versions, SIP-ALG can be disabled by configuring an application override policy which will prevent the PA firewall from doing any Layer 7 inspection. So, PA firewall would not open any pinholes. For App override setup, refer How to Create an Application Override Policy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!