Why disable Palo Alto Networks SIP Application-level Gateway (ALG)?
The Palo Alto Networks firewall uses the Session Initiation Protocol (SIP) application-level gateway ( ALG) to open dynamic pinholes in the firewall where NAT is enabled. However, some applications—such as VoIP—have NAT intelligence embedded in the client application. In these cases, the SIP ALG on the firewall can interfere with the signaling sessions and cause the client application to stop working.
When SIP ALG is enabled, these functions may result in intermittent call connectivity issues (phone registration or call feature operation) or excessive voice quality impairments (increased latency and jitter).
Any of the Application layer functions may cause signaling or UDP media quality issues. For example, IDS/IPS may limit packet streams to a certain bandwidth causing intermittent audio issues across multiple calls when the number of calls exceeds a certain volume. To reduce bandwidth, WAN accelerators use header compression to reduce traffic. For VoIP traffic, this can result in increased jitter.
How to disable Palo Alto Networks SIP Application-level Gateway (ALG)
1. Click the Objects
2. On the left, select Applications
from the list.
3. Search "sip
" or scroll down to locate and click sip
4. On the Application window, click "Customize...
beside ALG: Enabled
5. Disable ALG
then click OK
6. IMPORTANT: Assure your customer is within their maintenance window or are allowed to make changes on the Network at this time and click “Commit”.