topic Re: SIP Traffic in Firewall and Security Management

SIP Traffic

SriNarasimha005 — Tue, 01 Nov 2022 10:36:27 GMT

Hi Folks,

I'm fairly new to checkpoint and have got a request to allow the SIP traffic UDP/5060, TCP/5060 and TCP/5061. Firewalls running R81.10 and Take78.

Have gone through this article and it suggests opening the data port manually along with sip_tls_not_inspected (if sip_tls_authentication can't be used)

SIP-Specific services (checkpoint.com)

I'd like to seek your help in understanding how checkpoint processes the SIP traffic as couple of posts suggest using without the protocol handler and exempt from the IPS inspection to avoid one-way call issue.

Is it mandatory to bypass the SIP traffic from both IPS and Inspection settings?
Will the checkpoint not automatically allow the dynamic connections?
If the protocol handler isn’t set, obviously the inspection will not do. If that’s the case, why do we need to config the IPS and inspection settings bypass the SIP traffic?

Re: SIP Traffic

G_W_Albrecht — Tue, 01 Nov 2022 10:43:24 GMT

Whenever possible, use the pre-defined Services including protocol handler to be safe and sure by includong SIP in IPS and TP inspection. See also sk95369: ATRG: VoIP

Re: SIP Traffic

the_rock — Tue, 01 Nov 2022 12:00:27 GMT

Those are indeed all very good questions! I recall even in old days of CP, it was tricky to make this work properly, you always had to make either IPS exceptions or change service protocol "mode". I would definitely follow link @G_W_Albrecht provided and if you get stuck, open TAC case and get it fixed.

Re: SIP Traffic

SriNarasimha005 — Tue, 01 Nov 2022 13:57:26 GMT

Hi @the_rock @G_W_Albrecht

Thanks for the reply. Can you please help me on this as I'm unable to figure this out based on the resources available.

If the protocol handler isn’t set, obviously the inspection will not do. If that’s the case, why do we need to config the IPS and inspection settings bypass the SIP traffic?

Re: SIP Traffic

the_rock — Tue, 01 Nov 2022 14:01:32 GMT

The way I would approach this in the past was always run zdebug if issue was there. So say, just making this up, you have problem with ip 1.2.3.4 and port 5060, you can do something like this from expert mode -> fw ctl zdebug + drop | grep 1.2.3.4 | grep ":5060"

That will most likely tell you where issue might be coming from. By the way, you do NOT need to config anything in IPS to bypass this, UNLESS there is clear proof that IPS is dropping it.

Makes sense?

Re: SIP Traffic

SriNarasimha005 — Tue, 01 Nov 2022 14:16:10 GMT

Hi @the_rock

Thanks mate.

Final one, when you refer to "do NOT need to config anything in IPS to bypass this, UNLESS there is clear proof that IPS is dropping it"

Shall I assume that you're suggesting using the pre-defined services (with protocol handler)?

Re: SIP Traffic

the_rock — Tue, 01 Nov 2022 14:22:40 GMT

Yes sir, good guess ; - ). technically, if you did below, it would bypass IPS.

Re: SIP Traffic

G_W_Albrecht — Wed, 02 Nov 2022 08:49:11 GMT

The best and most secure is using the pre-defined services (with protocol handler) - any bypass shall only be made if suggested by TAC!

Re: SIP Traffic

the_rock — Wed, 02 Nov 2022 11:20:56 GMT

Yes sir Gunther, very good point indeed!!

Andy