Symptoms
Under some circumstances, the SIP traffic being handled by the Palo Alto Networks firewall, might cause issues such as one-way audio, phones de-registering, etc.
Solution
Create an Application Override Policy for SIP, following the steps below:
1. From Policies > Application Override, click Add in the lower left to create a new Policy Rule:
Create new Application Override rule.2. Next, under the Source tab, click Add to add the source zone where the SIP servers are present.
App override screen - source zone.
3. Under the Destination tab, click Add to add both the destination zone and subnet or IP address of the VoIP provider's servers.
App override - Destination zone and address.
4. Under the Protocol/Application tab, either TCP or UDP is valid and ports can also vary depending on VoIP vendor used. For Application, use sip.
Protocol - Application tab showing the options.
5. Here you can see what the Application Override rule looks like.
Application Override rule view
Apart from creating an application override policy for SIP applications, we would also need to check:
- Security policies for both inbound and outbound traffic to and from the internal SIP server.
- Source and Destination NAT for the SIP servers.
- If ALG is disabled. If not, follow the article link below to disable it.
How to Disable SIP ALG