topic Re: SIP Inspection / ALG in Firewall and Security Management

SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 11:31:36 GMT

Hi,

Is there a formal CheckPoint document showing how to completely disable SIP inspection from both gaia and embedded gaia appliances? or something to completely confirm the status of SIP ALG?

From what was found even from community is that in order to disable SIP inspection, one needs to create a custom port for 5060 with match for any and included it in the rules. However I need to make sure that actually firewall is not doing SIP inspection.

Thanks in advance.

Re: SIP Inspection / ALG

the_rock — Thu, 03 Jun 2021 11:40:04 GMT

Can you share the doc you have, I want to make sure it is the correct one?

Re: SIP Inspection / ALG

_Val_ — Thu, 03 Jun 2021 11:49:18 GMT

Could you please elaborate? Which particular community recommendations are you trying to follow?

Re: SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 11:50:10 GMT

I was looking at this:

https://community.checkpoint.com/t5/Security-Gateways/How-to-disable-SIP-ALG-inspection-in-a-specific-rule-in/td-p/25249

Specifically to this:

Define your own UDP or TCP object without a protocol handler. For example: Name it SIP-BARE and use UDP/5600
Make sure you enable "Match for Any" on your own service and disable it on the existing service.
Make a rule for you own service AND!!!! make sure it is ABOVE any rule that uses the build in SIP services (which contains handlers).

Apart from that we also did this sk:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157994&partition=Advanced&product=Quantum

To be honest, in my opinion there should be an official SK from CheckPoint what needs to be done in order to disable SIP inspection on both gaia and embedded at this stage.There is also this sk:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65072&partition=Advanced&product=Quantum

which does not exactly specify.

Re: SIP Inspection / ALG

_Val_ — Thu, 03 Jun 2021 11:53:13 GMT

Not getting this, what is missing in sk65072, in your opinion?

Re: SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 11:56:40 GMT

For example, embedded gaia gateways (running R80.20.x), R80.40 and R81 procedures

Re: SIP Inspection / ALG

_Val_ — Thu, 03 Jun 2021 12:36:50 GMT

Fair enough.

The SK is describing procedures to disable SIP inspection for performance reasons. If this is your case, and you are running R80.40 or above, you do not need to disable it. If you still want to disable, it is the same procedure for all R8x, just follow the relevant section.

If your R80.20 SMB is centrally managed, the described changes will do too.

Now, let me ask, why do you need to disable it in the first place?

Re: SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 12:40:29 GMT

Hi Val,

SIP inspection needs to be disabled since there are intermittent issue with voice and we need to make sure is not being done by checkpoint. SIP Headers will be modified directly by the PABX rather than the firewall.

Re: SIP Inspection / ALG

_Val_ — Thu, 03 Jun 2021 13:40:19 GMT

FW does not modify SIP headers, but once again, follow the procedure mentioned in the above SK.

Also, and actually before you do that, why wouldn't you ask TAC to help you figuring out the actual issue in hands?

Re: SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 13:44:31 GMT

I've already opened a case with TAC around 2 weeks ago but given the reply I got I don't have high hopes to be honest. I asked for SIP inspection and was pointed to HTTPS inspection 🙂 That's why i'm asking here maybe someone has experienced such issues with SIP and overcome them.

Re: SIP Inspection / ALG

_Val_ — Thu, 03 Jun 2021 14:43:45 GMT

Please PM me with your SR number

Re: SIP Inspection / ALG

lullejd — Thu, 03 Jun 2021 14:48:47 GMT

Thanks Val. Sent you pm.

Re: SIP Inspection / ALG

_Val_ — Fri, 04 Jun 2021 07:14:55 GMT

Strangely enough, I do not see any message from you. would you care to send your SR to vloukine@checkpoint.com?

Re: SIP Inspection / ALG

lullejd — Fri, 04 Jun 2021 07:20:09 GMT

Thanks Val. Sent it via email.

Re: SIP Inspection / ALG

starmen2000 — Mon, 24 Apr 2023 18:56:42 GMT

Quick question.
if predefined services are applied in any rule, but in your certain rule you applied your owd defined services, would it work so?

Re: SIP Inspection / ALG

PhoneBoy — Tue, 25 Apr 2023 15:48:08 GMT

It depends on the precise rules in your rulebase.
Refer to the following for a detailed explanation of how rulebase matching works: https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/m-p/9888#M1693
Basically, if multiple rules potentially match the same source/destination/service, where service is the specific TCP/UDP ports involved, then you might have issues if you're trying to avoid certain protocol handlers like SIP.
If you want to ensure that a certain protocol handler isn't used, then focused rules (possibly using inline layers) are key.