SIP Application Override Policy

SIP Application Override Policy

Created On 09/26/18 13:47 PM - Last Modified 09/20/21 18:17 PM



Under some circumstances, the SIP traffic being handled by the Palo Alto Networks firewall, might cause issues such as one-way audio, phones de-registering, etc.



Create an Application Override Policy for SIP, following the steps below:


1. From Policies > Application Override, click Add in the lower left to create a new Policy Rule:

2016-07-01_app01.pngCreate new Application Override rule.2. Next, under the Source tab, click Add to add the source zone where the SIP servers are present.

2016-07-01_app02.pngApp override screen - source zone.

3. Under the Destination tab, click Add to add both the destination zone and subnet or IP address of the VoIP provider's servers. 

2016-07-01_app03.pngApp override - Destination zone and address.

4. Under the Protocol/Application tab, either TCP or UDP is valid and ports can also vary depending on VoIP vendor used. For Application, use sip.

2016-07-01_app04.pngProtocol - Application tab showing the options.

5. Here you can see what the Application Override rule looks like.

2016-07-01_app05.pngApplication Override rule view

Apart from creating an application override policy for SIP applications, we would also need to check:

  • Security policies for both inbound and outbound traffic to and from the internal SIP server.
  • Source and Destination NAT for the SIP servers.
  • If ALG is disabled. If not, follow the article link below to disable it.


How to Disable SIP ALG


  • Print
  • Copy Link

Choose Language