How to Disable SIP ALG

Overview

The ability to disable SIP ALG was introduced in PAN-OS 6.0.

SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG.

Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.

Steps

Inside of the WebGUI

Disabling this feature will prevent the firewall from translating the payload.

1. Go to Objects > Applications and perform a search for the SIP application, as shown below:
   
   
   
2. Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display.
3. Click on Customize to bring up the settings dialog and check Disable ALG:
   

On the CLI

Use the following command to disable the SIP ALG:

> configure
# set shared alg-override application sip alg-disabled yes|no

If issues still occur with SIP after disabling the ALG, testing can be performed setting up filters with packet captures and running the following CLI commands to gather additional information:

> debug dataplane packet-diag set:
log feature flow basic
log feature ctd basic

Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.

For more information see:  How to Create an Application Override

owner: rvanderveken