The Palo Alto Networks firewall does not classify traffic
by port and protocol; instead it identifies the application based
on its unique properties and transaction characteristics using the
App-ID technology. Some applications, however, require the firewall
to dynamically open pinholes to establish the connection,
determine the parameters for the session and negotiate the ports
that will be used for the transfer of data; these applications use the
application-layer payload to communicate the dynamic TCP or UDP
ports on which the application opens data connections. For such
applications, the firewall serves as an Application Level Gateway
(ALG), and it opens a pinhole for a limited time and for exclusively
transferring data or control traffic. The firewall also performs
a NAT rewrite of the payload when necessary.
H.323 (H.225 and H.248) ALG is not supported in gatekeeper
When the firewall serves as an ALG for the Session Initiation
Protocol (SIP), by default it performs NAT on the payload and opens
dynamic pinholes for media ports. In some cases, depending on the
SIP applications in use in your environment, the SIP endpoints have
NAT intelligence embedded in their clients. In such cases, you might need
to disable the SIP ALG functionality to prevent the firewall from
modifying the signaling sessions. When SIP ALG is disabled, if App-ID
determines that a session is SIP, the payload is not translated
and dynamic pinholes are not opened. See Disable
the SIP Application-level Gateway (ALG).
When you use Dynamic IP and Port (DIPP) NAT, the Palo Alto
Networks firewall ALG decoder needs a combination of IP and Port
(Sent-by Address and Sent-by Port) under SIP headers (Contact and
Via fields) to be able to translate the mentioned headers and open
predict sessions based on them.
The following table lists IPv4, NAT, IPv6, NPTv6 and NAT64 ALGs
and indicates with a check mark whether the ALG supports each protocol
(such as SIP).