How to Disable SIP ALG

How to Disable SIP ALG

343519
Created On 09/25/18 17:19 PM - Last Modified 01/30/24 21:54 PM


Resolution


Overview

The ability to disable SIP ALG (Application Layer Gateway) was introduced in PAN-OS 6.0.

SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG.

Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.

 

Steps

Inside of the WebGUI

Disabling this feature will prevent the firewall from translating the payload.

  1. Go to Objects > Applications and perform a search for the SIP application, as shown below:
    image.png
  2. Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display.
  3. Click on Customize to bring up the settings dialog and check Disable ALG:
    image.png

 

On the CLI

Use the following command to disable the SIP ALG:

> configure
# set shared alg-override application sip alg-disabled yes|no
# commit

 

Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.

 

For more information seeTips & Tricks: How to Create an Application Override

 

owner: rvanderveken

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language