Ok, so I took my 3CX server off of AT&T and put it on our Comcast connection. I still got the same problems. I'm pretty sure Comcast is not blocking 5060. I finally figured out the PAN3020 randomized the ports going outbound, so I created a policy to preserve the port, and I finally got the 5060 to work, but then I kept getting "Full Cone NAT" errors. I tried a thousand different NAT policy configurations, ran Wireshark until the end of time, and Googled every problem I came across to death, and I cannot get this to work on the Palo Alto 3020 no matter what I try. I've read in some Google search results where people are using the same firewall I am using and have gotten it to work, but they did not provide their NAT policies to show how they got it to work. Also, I discovered that if I run the Firewall Check too many times the "detecting SIP ALG" will fail. Even after I restore my firewall back to the settings before any 3CX policies the SIP ALG detection fails every time, even though I have ALG disabled. I literally have to reinstall the 3CX server software to get it to successful detect that I have ALG disabled. I really want to get this to work, but I have exhausted just about everything I can possibly think of. It would have been awesome if 3CX would've included the Palo Alto in their "Step by Step Instructions for Popular Firewalls" guide. We paid an ENORMOUS amount of money for this Palo Alto 3020. It is like the Mercedes Benz of firewalls. You would think there would be an easy way to configure this firewall to allow for VoIP configurations.
... View more
Has anyone come up with a solution for this? I have a PA-3020 and I am having trouble trying to get our 3CX phone system to pass the firewall check. It keeps failing when testing the ports 5060 and 5090.
... View more