- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-02-2022 12:06 PM
Hello to All,
From what I read about ALG (Application Level Gateway) functions on the Palo Alto Firewalls this function if needed is disabled globaly for the SIP default application or with application overide policy but this will stop the SIP signature matches.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK
Is there a way to dissable the SIP ALG function not globally and not and app overide policy? Maybe it is better to create a custom ALG is the option "Continue scanning for other Applications" but if the SIP ALG disabled globally will the "Continue scanning for other Applications" work as how is this different than the real ALG functons in the firewall ?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK
Also I think that custom ports can't be open on the firewall with custom application sifnatures but I could be wrong.
11-07-2022 01:50 AM - edited 11-07-2022 01:51 AM
I am starting to thing that redirecting a specific traffic to a firewall that is with ALG dissabled could be the best way. With Prisma Access it will be harder as then different tenants will be needed (there can't be more than one device group connected to a Prisma Access tenant) and tenant to tenant routing seems like a nightmare and this is why I opened another question just to check it https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-routing-between-tenants...
The option "Continue scanning for other Applications" seems nice in some cases but not this one as from what I think two custom application id's need to be created and you need match something in the packet as the Control Channel App ID can't tell the Data Channel App id which dynamic port needs to be opened like the true ALG functions do and opening all ports with a port range in the Custom App ID Advanced settings is a little risky.
If someone has more knowedge about ALG functios on Palo Alto please share it with me 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!