新しい NGFW を実装した後、ファイアウォール エンジニアは、ファイアウォールを通過する VoIP トラフィックの問題を確認する トラブルシューティングを行った後、エンジニアは、ファイアウォールが音声パケット ペイロードに対して NAT を実行し、メディア ポートの動的ピンホールを開くことを発見する VoIP トラフィックを解決するためにエンジニアができること問題?
正解:D
Explanation
According to the Palo Alto Networks documentation1, application-level gateway (ALG) is a feature that allows the firewall to inspect and modify the payload of some protocols, such as SIP, to enable NAT traversal and firewall policy enforcement. However, ALG can also cause issues with some VoIP implementations, such as modifying the SIP headersincorrectly or opening unnecessary pinholes for media ports. Therefore, disabling ALG under SIP application can help solve the VoIP traffic issue by preventing the firewall from altering the voice packets payload and opening dynamic pinholes . Therefore, the correct answer is D.
The other options are not relevant or helpful for solving the VoIP traffic issue:
Disable ALG under H.323 application: This option would disable ALG for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, so disabling ALG under H.323 application would have no effect on the VoIP traffic issue.
Increase the TCP timeout under H.323 application: This option would increase the TCP timeout for
H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, which uses UDP by default, so increasing the TCP timeout under H.323 application would have no effect on the VoIP traffic issue.
Increase the TCP timeout under SIP application: This option would increase the TCP timeout for SIP protocol, which is the signaling protocol used in this scenario. However, SIP uses UDP by default, so increasing the TCP timeout would have no effect on the VoIP traffic issue. Moreover, increasing the TCP timeout would not address the problem of NAT on the voice packets payload and dynamic pinholes for media ports.
References: 1:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg
2: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK