The Palo Alto Networks Firewall comes with Session Initiation Protocol (SIP) Application-Level Gateway (ALG) enabled. SIP ALG opens dynamic pinholes in the Palo Alto Firewall where NAT is enabled. However, RingCentral services have NAT intelligence embedded in the client application.
For this reason, SIP ALG on any Firewall interferes with RingCentral SIP signaling sessions which causes registration, incoming and outbound call signaling issues.
RingCentral support advises to disable Palo Alto SIP ALG. However, there are some Palo Alto Networks Firewalls that auto enable SIP ALG if a non-RingCentral subnet VLAN is created and SIP ALG is a requirement. This non-RingCentral subnet VLAN requesting SIP ALG auto enables the entire Palo Alto Networks Firewall. Thus, re-enabling the once disabled SIP ALG RingCentral rule.
To support RingCentral Services properly, SIP ALG must be disabled. To accomplish this task the client can:
1. Disable SIP ALG again and request the customer to look for another solution for their non-RingCentral VLAN.
2. Palo Alto Networks allows the network admin to define an Application Override Policy for SIP. Unfortunately, this policy approach disables the App-ID and threat detection functionality which is a security concern. Palo Alto Networks support suggests disabling SIP ALG which keeps App-ID and threat detection functionality active.
3. Palo Alto Networks offered an updated subnetting profile which is a better solution. This requested subnetting profile is created without any reference to SIP ALG, so the auto SIP ALG enable feature stays disabled. At the time of this writing, there is no known date when Palo Alto Networks Operating System will have this as a permanent Operating System option.
NOTE: TAMS, PS and Palo Alto Networks contributed to this document.