Palo Alto Networks Knowledgebase: SIP Application Override Policy

SIP Application Override Policy

33669
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM
Resolution

Symptoms

Under some circumstances, the SIP traffic being handled by the Palo Alto Networks firewall, might cause issues such as one-way audio, phones de-registering, etc.

 

Solution

Create an Application Override Policy for SIP, following the steps below:

 

1. From Policies > Application Override, click Add in the lower left to create a new Policy Rule:

2016-07-01_app01.pngCreate new Application Override rule.2. Next, under the Source tab, click Add to add the source zone where the SIP servers are present.

2016-07-01_app02.pngApp override screen - source zone.

3. Under the Destination tab, click Add to add both the destination zone and subnet or IP address of the VoIP provider's servers. 

2016-07-01_app03.pngApp override - Destination zone and address.

4. Under the Protocol/Application tab, either TCP or UDP is valid and ports can also vary depending on VoIP vendor used. For Application, use sip.

2016-07-01_app04.pngProtocol - Application tab showing the options.

5. Here you can see what the Application Override rule looks like.

2016-07-01_app05.pngApplication Override rule view

Apart from creating an application override policy for SIP applications, we would also need to check:

  • Security policies for both inbound and outbound traffic to and from the internal SIP server.
  • Source and Destination NAT for the SIP servers.
  • If ALG is disabled. If not, follow the article link below to disable it.

 

How to Disable SIP ALG

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClouCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language