ALG Disable

Learn more about the Prisma SD-WAN alg disbale NAT use case.
Prisma SD-WAN application fabric is a critical enabler of this transition by emphasizing Voice & Video quality reporting and SLA assurance. As the consumption of these services has changed, it has driven new demands of the network. Specifically, many UCaaS systems require that network solution providers disable the SIP ALG (Application Layer Gateway) for any traffic that crosses a NAT boundary destined for a SIP provider.
In this example, a phone is configured at the branch to communicate with a UCaaS system on the internet via SIP (Session Initiation Protocol), a standard protocol used by collaboration endpoints to register with the intended control system. The SIP traffic (via Path Policy) configures to be placed directly onto any available internet link. As such, it uses the default NAT policy. The UCaaS provider has also specified that any SIP ALG must be disabled. Disabling the SIP ALG prevents issues from occurring that may affect phone registration and 1-way audio.
Fields
Description
1
A new SIP registration source from Phone 1 with a source address of 10.10.20.20 and a destination address of 80.80.80.80.
2
A packet arrives at the ION device's LAN interface. Perform a policy lookup and the traffic on the internet segment.
3
Place the packet onto the internet segment; the Default-NATPolicySet it matches against the Default-InternetRule.
This rule contains the following configuration:
  • Destination Zone Rule: NAT Zone Internet
  • Match Criteria: Any Protocol, Any Prefix, Any Port
  • Action: Source NAT
In this rule, the NAT Pool is blank by default, and the system uses the IP Address bound to the internet interface.
Apply the packet's policy; the source address of 10.10.10.10 overwrites by the address bound to the Internet Interface (50.50.50.1), and it might change the source port to a random port during this operation.
In this example the original packet: (s) 10.10.20.20:12345: (d) 80.80.80.80:5060. Is rewritten to: (s) 50.50.50.1:54321: (d) 80.80.80.80:5060.
4
In addition to the default NAT policy, the traffic also matches the recently created rule to disable the SIP ALG.
  • Destination Zone Rule: NAT Zone Internet
  • Match Criteria:
    Protocol: Any: Any (blank)
    Source Prefix:
    Local Prefix Filter - 10.10.20.0/24 (Phone Network)
    Source Port Range: Any: Any (blank)
    Destination Prefix: Any (blank)
    Destination Port Range: Any: Any (blank)
    Action: ALG Disable
    ALG Protocols to Disable: SIP
5
Traffic arrives at the SIP server directly on the internet.
6
Send the return traffic to the destination of 50.50.50.1:54321. A translation table check is performed on the flow to ensure that there is an active connection.
7
Establish the traffic onto the LAN segment; the destination IP address is rewritten from 50.50.50.1:54321 to 10.10.20.20:12345.
To clone the Default-NATPolicySet, add the appropriate policy settings and apply this newly created set to the intended target site(s).When required to change ALG behavior, it is best practice to create a new Policy Set Stack. Once created, add the Default-NATPolicySet to the stack, then create a new NAT Set with a rule that disables ALG. Bind the new NAT Set to the new NAT Stack.

Recommended For You