The ability to disable SIP ALG (Application Layer Gateway) was introduced in PAN-OS 6.0.
SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG.
Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.
Steps
Inside of the WebGUI
Disabling this feature will prevent the firewall from translating the payload.
Go to Objects > Applications and perform a search for the SIP application, as shown below:
Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display.
Click on Customize to bring up the settings dialog and check Disable ALG:
Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.