Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Sip traffic Inspection

Jump to solution

Hello,

 

I am fairly new to checkpoint. I am looking for commands or settings that will allow me to do following.

 

 

1- how can I check if sip traffic passing thru checkpoint is being inspected?

2- how can I clear a specific sip session from firewall session table?

3- How can I disable sip alg if there is any?

4- where should I check if sip packets are being dropped but it's not showing up in the logs? any command to verify packets are being dropped?

 

 

Thank you in advance.

1 Solution

Accepted Solutions
Highlighted

Hi @cp-bc123,

Point 1:

If you use service SIP UDP with protocol type SIP_UDP an inspection is always done.  This service is used to enforce signal routing. Use a VoIP Domain in the source or destination of the rule, together with this service. When this service is used, registration message are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, Security Gateway verifies that the user exists in the SIP registration database. This can prevent DoS attacks. 

More read here: R80.x - Security Gateway Architecture (Content Inspection)

Debug the SIP Connection:-)

Principle all debug modules are possible for debugging with „fw ctl zdebug“.  „fw ctl debug -h“ shows all current kernel debugging options for modules and instances. You can use various combinations. Unfortunately, the commands are only mentioned in few SK's.  Try it out here.  I have described the most important ones above. 

# fw ctl zdebug + monitorall  | grep -A 10 -B10 "SIP"

More read here:
"fw ctl zdebug" Helpful Command Combinations

Point 2: 

Find the relevant connection entry that you would like to delete from the Connections Table. Delete the desired connection entry:

# fw tab -t connections -x -e DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL

The string DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL should NOT contain any spaces.

To learn more open the links of @G_W_Albrecht.

Point 3:

If you do not want to use the Check Point firewall as an application layer gateway, the protocol type in the service must be set to none and enable "match for any". 

Point 4:

# fw ctl zdebug drop | grep <IP of SIP device>

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

View solution in original post

Tags (1)
2 Replies
Highlighted
Champion
Champion

1 + 3: The best document about this is sk95369: ATRG: VoIP and for the most prominent SIP issue sk65072: How to disable 'fw early SIP nat' chain / SIP inspection

2. sk65133: Connections Table Format and sk103876 - How to manually delete an entry from the Connections Table

4. # fw ctl zdebug drop > drops.txt.

 

Highlighted

Hi @cp-bc123,

Point 1:

If you use service SIP UDP with protocol type SIP_UDP an inspection is always done.  This service is used to enforce signal routing. Use a VoIP Domain in the source or destination of the rule, together with this service. When this service is used, registration message are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, Security Gateway verifies that the user exists in the SIP registration database. This can prevent DoS attacks. 

More read here: R80.x - Security Gateway Architecture (Content Inspection)

Debug the SIP Connection:-)

Principle all debug modules are possible for debugging with „fw ctl zdebug“.  „fw ctl debug -h“ shows all current kernel debugging options for modules and instances. You can use various combinations. Unfortunately, the commands are only mentioned in few SK's.  Try it out here.  I have described the most important ones above. 

# fw ctl zdebug + monitorall  | grep -A 10 -B10 "SIP"

More read here:
"fw ctl zdebug" Helpful Command Combinations

Point 2: 

Find the relevant connection entry that you would like to delete from the Connections Table. Delete the desired connection entry:

# fw tab -t connections -x -e DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL

The string DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL should NOT contain any spaces.

To learn more open the links of @G_W_Albrecht.

Point 3:

If you do not want to use the Check Point firewall as an application layer gateway, the protocol type in the service must be set to none and enable "match for any". 

Point 4:

# fw ctl zdebug drop | grep <IP of SIP device>

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

View solution in original post

Tags (1)