PCNSE Question #139: Real Exam Question with Answer & Explanation

Question

The Network Security Administrator discovers that the company's NAT-aware SIP phone system is not working properly through the Palo Alto Networks firewall, even though SIP traffic is being allowed by policy. Which configuration change can resolve this issue?

Options

• ADisable ALG within the security policy that permits SIP traffic
• BCreate an application override policy to assign all traffic to and from SIP phones to the sip
• CCreate a security policy that allows any traffic to and from SIP phones.
• DDisable ALG within the SIP application

Explanation

When a NAT-aware SIP phone system has issues through a firewall, disabling the Application Layer Gateway (ALG) for the SIP application itself often resolves conflicts between the phone system's NAT handling and the firewall's.

Common mistakes.

• A. ALGs are generally configured per application or globally, not directly disabled within a security policy itself; the security policy only allows or denies the traffic.
• B. An application override policy bypasses Layer 7 inspection, which might stop the SIP ALG from being invoked, but it's a less direct and less granular solution than specifically disabling the SIP ALG if the issue is a conflict between the phone's NAT-awareness and the firewall's ALG.
• C. A security policy allowing any traffic is too broad and does not address the specific issue of SIP ALG interference with a NAT-aware SIP system, which requires more granular control over the SIP application behavior.

Concept tested. SIP ALG and NAT-aware systems

Reference. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/app-id-overview/application-level-gateways-algs

No community discussion yet for this question.