ALG in Checkpoint R80.10

LostBoY · ‎2020-02-19

Hello,

I have been asked by the voice team to check whether ALG is disabled or enabled in my CP GW. I went through a few post in the forums but i am unable to completely understand the concept of ALG. What exactly ALG used for ? How can i disable or enable ALG..steps to do so.If it is disabled what other functions or services can it impact ?

Thanks.

PhoneBoy · ‎2020-02-19

Do you have any rules in your Access Policy where the service explicitly includes something like SIP or H.323?

LostBoY · ‎2020-02-20

Yes ..i do have a couple of rules for voice communication using SIP

PhoneBoy · ‎2020-02-20

When you use the predefined SIP service explicitly in the rulebase, you are invoking specific protocol handlers which act as a sort of an ALG.
(ALG is "Application Layer Gateway" for those who don't know)
So the answer is "yes."
If you want to disable it, then you need to replace the pre-defined SIP service with manual rules to allow the specific traffic.

Note if you're using a significant amount of SIP across your gateway, the use of R80.40 is recommended.
This is because our inspection of SIP will now utilize all the cores in your Security Gateway (in previous releases it uses only one core, which can create performance issues).

LostBoY · ‎2020-02-21

Thanks for the reply.. the issue we are encountering is that the Cube is located in the inside zone of Checkpoint so when it initiates a SIP or SPD it generates traffic via a LAN IP ..that IP gets translated to WAN via configured NAT rules ..but on the other side we notice that the Payload is not translated and is showing the LAN IP... is ALG required to support this translation ?

PhoneBoy · ‎2020-02-21

Part of our SIP handling should handle NAT as well, assuming it's not SIP-TLS.
In any case, it's worth a TAC case to troubleshoot it.

LostBoY · ‎2020-02-24

Initiated a TCP dump and i am unable to see any SIP invite packets coming to the interface when the call is initiated.. looks like SIP-TLS is being used here .. CP does not support SIP-TLS ? i mean if encrypted traffic is coming in CP cant modify the SDP payload i assume... have raised a TAC case too

PhoneBoy · ‎2020-02-24

In order to perform this sort of inspection, we would have to "man in the middle" the TLS negotiation similar to what we can do for HTTPS traffic.
We do not do that for SIP traffic currently, which means we cannot see (or translate) the SIP negotiations when NAT is involved.

Kyle_Roberts · ‎2020-04-17

Just wanted to pop in and say thank for for this!

we use Jive's hosted voice and their network test was stating that 3 of our sites had SIP ALG enabled.

turns out we had a rule that was using the built in SIP service. disabling that and it appears to have resolved this issue.

thanks!

Julian_Sanchez · ‎2020-11-12

I am agree with you, and I have used this solutions. I have created a new service UDP 5060 withoutu protocol and selected match for any and works in the rules

However, I was reading another article and I would like to know what is the risk for disable SIP ALG by creating an exception for Block SIP Early Media on this inspection setting?

Are you a member of CheckMates?

ALG in Checkpoint R80.10