Checkpoint Security Gateway R82.10 // Lokal PBX Is...

Dassl95

Hey guys,

I urgently need your help with the following case.

We have implemented a new Check Point Security Gateway R82.10 for our customer. Now we are experiencing issues with inbound and outbound VoIP RTP traffic. The customer is using a local Mitel PBX. The SIP trunk is working without any issues.

The gateway is located behind a Fritzbox 7590 router with an exposed host configured directly to the gateway. It is not possible to remove the Fritzbox because the ISP requires PPPoE.

The following screenshots show the current firewall rules. We have already tried allowing the service "ANY" and "SIP_ANY", but the issue persists.

What do we need to do to fix this as soon as possible? Is there any best practice for handling RTP traffic with Check Point?

I am looking forward to your response.

Cheers,
Dustin

RS_Daniel

Hello,

The fisrt thing to do is read sk95369, you must be meet all the configurations the sk mentions to be under a supported scenario, anything else could cause issues. Check which scenario matchs yours on section 5 and then configure relevant security rules from section 6. In the sk you can also find a troubleshooting section.

For what you describe you match the scenario Proxy to Proxy, but a full topology for your VoIP depoyment would be needed to be sure and get all the details. Anyway, are you using NAT at some point?

Regards

CaseyB

You might want to review this thread; it was helpful for one of our SIP issues.

https://community.checkpoint.com/t5/Firewall-and-Security-Management/The-source-port-of-the-SIP-prot...

PhoneBoy

You do realize we support PPPoE, right?

Lesley

More info would help:

- what are the symptoms? No audio? No ringtone? Calls works first 5 seconds? What if you disable secureXL? Any dropped traffic, maybe on CLI you see something: fw ctl zdebug + drop

Check also: Does Check Point support RTSP over UDP? sk41548

-------
Please press "Accept as Solution" if my post solved it 🙂

Dassl95

Hi Lesly,

thanks for your help!

We get no AUDI In and Outbound / with fw ctl zdebug + drop i cant see any drops.

sk41548 // We are using Smart 1 Cloud

Secure XL is currently active. Shall i deactivate it permantly?

Thanks a lot!

emmap

CP Gateways require SXL to run properly, you should never disable it permanently. Disabling it as a test to see if it affects things is a valid troubleshooting step, but if the situation improves with it disabled that just means there's an issue with SXL that needs fixing (probably via a TAC case). You still need to turn it back on again.

Lesley

This is correct, now it is even difficult to fully disable SecureXL. There are many SK's around for Voice issues. Try to follow some of those and share the results here. Currently the info is to little to give a direction

-------
Please press "Accept as Solution" if my post solved it 🙂

PhoneBoy

What disabling SecureXL does these days is prevent new connections from being templated and moved into the accelerated path.

Are you a member of CheckMates?

Checkpoint Security Gateway R82.10 // Lokal PBX Issues with RTP Traffic