- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-27-2020 02:24 PM
Specifically, why can't we disable the SIP ALG in Panorama, in order to push that out to the firewalls? Even more specifically, why isn't that option available in the Panorama GUI?
It's a real pain having to manually change that on each individual firewall, and commit the change locally, instead of setting it once in a Device Group and having it inherited by all the firewalls.
Panorama 8.1.9-h4 and PanOS 8.1.12 on the firewalls.
01-28-2020 12:58 AM
Hi @fjwcash ,
Good catch ... I haven't noticed that before.
I found that there's already a feature request for it.
Please reach out to your local SE and have him add your vote.
FR ID: 4081
Cheers !
-Kiwi.
01-28-2020 12:58 AM
Hi @fjwcash ,
Good catch ... I haven't noticed that before.
I found that there's already a feature request for it.
Please reach out to your local SE and have him add your vote.
FR ID: 4081
Cheers !
-Kiwi.
01-28-2020 09:01 AM
Thanks! I've reached out to cast our vote. Let's see what comes of it. 😄
04-21-2021 08:49 PM
Oh boy. I'm in need of disabling it on all firewalls this exact moment and just realized you can't do it from Panorama. Why is this even a feature request and not an automatic bug that needed fixing last year?
09-21-2021 08:46 AM
I would like to add, how can this be done in a Prisma environment where Panorama cannot modify it, nor do you have access to the firewalls to see / modify it?
09-21-2021 09:46 AM
Is this a CLI-only command to disable SIP-ALG? May I introduce you to Palo's newest automation tool, SLI? Basically you would input a list of your NGFW MGT IPs (or pull them from PRA, see option 2), add username/password to the file, and then a different file would have a list of the CLI commands you wish to run and the tool will sequentially create the SSH access to each device outputting errors/success messages into a file for review after.
Indeed, it's a feature request to get into panorama for now, but I requested our automation team build this workaround for the time being as I had a customer that needed something similar.
SLI Development Branch
This is useful for commands for example, mass_ssh and mass_ssh_from_panorama.
mass_ssh asynchronous executes an inputted script file against multiple firewalls. These firewalls are either given as a list of IP addresses on the command line or given in a YAML inventory file. You can run the sli mass_ssh --help command to see examples of both the inputted script file and the YAML inventory file.
mass_ssh_from_panorama does the same thing except it gathers the NGFW list from a Panorama device. SLI will grab a list of all connected devices for a given Panorama device and then will optionally filter based on an inputted dictionary of key values. You can run the sli mass_ssh_from_panorama --help command to see examples of the input script file and the NGFW filter dictionary.
Then create your template files, look at examples by typing mass_ssh_from_panorama --help. Hope this makes your life a little easier!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!