topic Re: VOIP question in Firewall and Security Management

VOIP question

the_rock — Wed, 02 Apr 2025 17:43:32 GMT

Hey guys,

Just wondering if someone can clarify this for me and if it is expected because maybe of service (sip) used?

So, customer has setup as example 7-1 in below sk and all works fine, no issus, BUT, rather than bi-directional rule, they have 2 separate ones and randomly, logs that should show for rule 9, show for rule 10 and other way around.

Is that expected? We even ran fw up_execute and shows right rule)s).

Thoughts?

https://support.checkpoint.com/results/sk/sk95369

Tx as always!

Andy

Re: VOIP question

Lesley — Wed, 02 Apr 2025 18:02:34 GMT

I suspect that sometimes the traffic hits the VOIP handler (SIP service) and other times the other defined port. If you could share screenshot of the rules I can check it.

Re: VOIP question

the_rock — Wed, 02 Apr 2025 18:04:28 GMT

Yep, will ask customer for it.

Andy

Re: VOIP question

the_rock — Wed, 02 Apr 2025 19:43:53 GMT

Here it is.

Andy

Re: VOIP question

Lesley — Thu, 03 Apr 2025 08:14:25 GMT

Ah in this way. The my first comment is not relevant.

Is it not because of this:

Security rules can be defined that allow bidirectional calls, or only incoming or outgoing calls.

So if traffic hits rule 9 it is an incomming call and rule 10 an outgoing call? Do you see something like this in the logs?

I would not recommend to put it all in one rule. Because then you open traffic between the subnets.

What if you make new rules like below? Then it is still secure and you follow the recommended steps in the guide:

Source:
HQ-Voice
BTC-Edgemark-HQ
Destination:
HQ-Voice
BTC-Edgemark-HQ

sip-tcp
sip

Source:
DR_VOICE-VLAN
BTC-Edgemark-HQ
Destination:
DR_VOICE-VLAN
BTC-Edgemark-HQ

sip-tcp
sip

etc

Re: VOIP question

the_rock — Thu, 03 Apr 2025 10:40:50 GMT

Hey @Lesley

I definitely asked them to try, lets see. Do you think though doing it this way would be any different?

Andy

Re: VOIP question

the_rock — Thu, 03 Apr 2025 12:14:46 GMT

Btw, spoke with my colleague about this and we asked them to see if they can verify 2 things (well verify 1 and do the 2nd one if willing)

1) Check if there is an updates smart console to install

2) If they are willing to install latest jumbo 99 for mgmt ONLY, as I recall seeing people mention about display logs issue via smart console, just cant recall what take it was fixed it

Andy

Re: VOIP question

Lesley — Thu, 03 Apr 2025 20:39:09 GMT

Not sure we have to try. Because the documentation is very specific about it.

Re: VOIP question

Lesley — Thu, 03 Apr 2025 20:41:53 GMT

Can be done quick, would give this a try. Only log issue I have seen that the interface direction in a log entry was incorrect due bug. Have not seen the issue with rules. This was bug ID:

PRJ-47984,
PRHF-29667

Logging

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

What version / take you have active now? can give a quick look. Share please gw and mgmt

Re: VOIP question

the_rock — Thu, 03 Apr 2025 21:43:31 GMT

Its on R81.20 just cant recall jumbo now, as we dont manage their equipment.

Andy

Re: VOIP question

the_rock — Fri, 04 Apr 2025 23:47:39 GMT

Hey guys,

Just to update on this, spoke with TAC on unrelated case and asked them this question and lady said it is purely cosmetic, but its fixed if jumbo 99 installed on the mgmt, which is what we suggested to the customer.

Cheers,

Andy