This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PaloAlto and VCS gateway - H323 / SIP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PaloAlto and VCS gateway - H323 / SIP

Go to solution
VinceM
L5 Sessionator

‎09-19-2013 02:30 AM

Hi all,

Installing a palo on network with VCSExpressway (cisco ToIP) module.

After reading other discussion (https://live.paloaltonetworks.com/message/7757#7757, https://live.paloaltonetworks.com/message/12132#12132, , for a "full" compatibility between palo and VCS, we have to create app override for disabling the app L7 PA's analyse (for NAT reason). The Cisco argue is our VCS know perfectly H323 and SIP, more than your fw which is just a FW ...

Does anybody have feedback about this archietecture ? what is for you the best practice, disbaling L7 on palo or disabling NAT on VCS ?

If you have create App overide please can you explain which rule you have create.

Thx for your help

V.

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mikand
L6 Presenter

‎09-22-2013 03:41 AM

Personally I would go for disabling NAT on the VCS to keep the L7 functionality of your PA.

Otherwise you can just place a switch with an ACL that allows certain ports towards your VCS unit which would be far cheaper than having a real FW such as PA to do the same (which is the case if you disable L7 on the PA via app override).

But it also depends on in which order you have connected the devices and such (which flow the packets will take).

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
mikand
L6 Presenter

‎09-22-2013 03:41 AM

Personally I would go for disabling NAT on the VCS to keep the L7 functionality of your PA.

Otherwise you can just place a switch with an ACL that allows certain ports towards your VCS unit which would be far cheaper than having a real FW such as PA to do the same (which is the case if you disable L7 on the PA via app override).

But it also depends on in which order you have connected the devices and such (which flow the packets will take).

0 Likes Likes

Go to solution
ttanzi
L2 Linker
In response to mikand

‎04-10-2014 02:41 PM

One question on this. If you have the firewall policies configured to allow the SIP traffic just based on ports/services and not based on the application of 'SIP' will you still need an override policy? If the rule is based on strictly ports/services, will the SIP traffic still be analyzed and require an override?

We can see in the logs that it is identified as SIP but the policy is written utilizing only the desired ports.

thanks

0 Likes Likes
  • 1 accepted solution
  • 3454 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks