Discover the solution to VoIP traffic issues caused by firewall interference: Disable the Application Layer Gateway (ALG) under the SIP application on Palo Alto Networks Next-Generation Firewalls.
Table of Contents
Question
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application
Answer
D. Disable ALG under SIP application
Explanation
To solve the VoIP traffic issue caused by the firewall performing NAT on voice packets’ payload and opening dynamic pinholes for media ports, the firewall engineer should disable the Application Layer Gateway (ALG) under the SIP (Session Initiation Protocol) application.
The SIP ALG is a feature in Palo Alto Networks firewalls that inspects and modifies SIP traffic to enable proper NAT traversal and media stream handling for VoIP communications. However, in some cases, the SIP ALG can interfere with the voice packet payload and cause issues with VoIP traffic.
By disabling the SIP ALG, the firewall will no longer perform NAT on the voice packet payload or open dynamic pinholes for media ports. Instead, it will treat SIP traffic as normal application traffic, allowing the VoIP system to handle NAT traversal and media stream negotiation without interference from the firewall.
Disabling the SIP ALG can resolve various VoIP traffic issues, such as one-way audio, dropped calls, or failure to establish media streams, particularly when the VoIP system is capable of handling NAT traversal and media negotiation without the need for the firewall’s intervention.
Palo Alto Networks Certified Network Security Engineer PCNSE certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks Certified Network Security Engineer PCNSE exam and earn Palo Alto Networks Certified Network Security Engineer PCNSE certification.