Palo Alto ALG (Application Level Gateway) SIP dissable just for a particular source and destination IP addresses in a Security Policy?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto ALG (Application Level Gateway) SIP dissable just for a particular source and destination IP addresses in a Security Policy?

L6 Presenter

Hello to All,

 

 

From what I read about ALG (Application Level Gateway) functions on the Palo Alto Firewalls this function if needed is disabled globaly for the SIP default application or with application overide policy but this will stop the SIP signature matches.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-g...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LyaCAE&lang=en_US%E2%80%A...

 

 

Is there a way to dissable the SIP ALG  function not globally and not and app overide policy? Maybe it is better to create a custom ALG is the option "Continue scanning for other Applications"  but if the SIP ALG disabled globally will the "Continue scanning for other Applications"  work as how is this different than the real ALG functons in the firewall ?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZmCAK

 

 

 

Also I think that custom ports can't be open on the firewall with custom application sifnatures but I could be wrong.

1 REPLY 1

L6 Presenter

I am starting to thing that redirecting a specific traffic to a firewall that is with ALG dissabled could be the best way. With Prisma Access it will be harder as then different tenants will be needed  (there can't be more than one device group connected to a Prisma Access tenant) and tenant  to tenant routing seems like a nightmare and this is why I opened another question just to check it https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-routing-between-tenants...

 

 

The option "Continue scanning for other Applications" seems nice in some cases but not this one as from what I think two custom application id's need to be created and you need match something in the packet as the Control Channel App ID can't tell the Data Channel App id which dynamic port needs to be opened like the true ALG functions do and opening all ports with a port range in the Custom App ID Advanced settings is a little risky.

 

 

If someone has more knowedge about ALG functios on Palo Alto please share it with me 🙂

  • 1202 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!