How to Disable SIP ALG

How to Disable SIP ALG

Created On 09/25/18 17:19 PM - Last Modified 01/30/24 21:54 PM



The ability to disable SIP ALG (Application Layer Gateway) was introduced in PAN-OS 6.0.

SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG.

Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.



Inside of the WebGUI

Disabling this feature will prevent the firewall from translating the payload.

  1. Go to Objects > Applications and perform a search for the SIP application, as shown below:
  2. Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display.
  3. Click on Customize to bring up the settings dialog and check Disable ALG:


On the CLI

Use the following command to disable the SIP ALG:

> configure
# set shared alg-override application sip alg-disabled yes|no
# commit


Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.


For more information seeTips & Tricks: How to Create an Application Override


owner: rvanderveken


  • Print
  • Copy Link

Choose Language