- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix! 
All Videos In One Space
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
How do we disable NAT on SIP and SDP payloads, when using NAT? The ATRG: VoIP documentation states the following:
We're running Asterisk with ICE (Interactive Connectivity Establishment), which essentially provides multiple candidates in INVITE or SDP negotiation messages, where each is an IP and port combination. It discovers the public candidates by connecting to STUN servers on the public internet.
Why would we not want the security gateway to NAT the payload?
We intend on using Bria Stretto as a mobile SIP application. The app works perfectly in all environments, when in the foreground and subsequently registered directly to our office SIP server. The problem we're having is when the app is in the background, becoming completely inactive. Public SIP servers operated by CounterPath essentially register in place of the mobile and send a wake-up push notification when they receive a call. The push appears to provide the app with a copy of the original invite, so it should receive both the higher priority ICE host candidates as well as the lower priority server reflexive (natted IP and port) candidates.
The problem with the Check Point overwriting the SIP and SDP payload is that a mobile device connected to either private cellular APN or corporate WiFi will exclusively be provided with the public IP and results in one way audio. Everything works perfectly when the mobile is using LTE or natted through a home WiFi network.
What we're after:
We would simply like the Check Point to continue applying a NAT policy to the headers but leave the SIP and SDP payloads alone. This is typically accomplished by simply turning off SIP ALG processing.
Sample packet leaving SIP server towards CounterPath's public push servers:
Sample packet after NAT processing by Check Point:
We have not had success in following the following recommendations. Both of these however appear to apply to cases where threat prevention policies were blocking packets, not the Check Point simply natting packets like any other UDP packet and leaving the payload alone:
- How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally...
- Tried disabling SIP inspection
fw ctl set int voip_multik_enable_forwarding 0
echo voip_multik_enable_forwarding=0 >> $FWDIR/boot/modules/fwkern.conf
The following is an excellent summation of the ICE protocol:
1 Solution
Accepted Solutions
I hope I understand your problem!
If the following setting "fw ctl set int voip_multik_enable_forwarding 0" does not work, you still have the following option.
If you want to disable NAT in SIP content, you can also set the protocol type in SIP service TCP to "none". This should also disable the SPI inspection. Therefore no PSL should be used in the F2F path or no PXL should be used in the medium path. This means that the passive streaming library is no longer used. So no SIP packet is manipulated anymore. You can find out more about PSL/PXL here R80.x Security Gateway Architecture (Logical Packet Flow)or here https://community.checkpoint.com/docs/DOC-3073-r80x-security-gateway-architecture-content-inspection.
The problem is that the negotiated RTP ports are no longer written to the state table. So you have to allow all RTP UDP high ports in a rule.
I hope I understand your problem!
If the following setting "fw ctl set int voip_multik_enable_forwarding 0" does not work, you still have the following option.
If you want to disable NAT in SIP content, you can also set the protocol type in SIP service TCP to "none". This should also disable the SPI inspection. Therefore no PSL should be used in the F2F path or no PXL should be used in the medium path. This means that the passive streaming library is no longer used. So no SIP packet is manipulated anymore. You can find out more about PSL/PXL here R80.x Security Gateway Architecture (Logical Packet Flow)or here https://community.checkpoint.com/docs/DOC-3073-r80x-security-gateway-architecture-content-inspection.
The problem is that the negotiated RTP ports are no longer written to the state table. So you have to allow all RTP UDP high ports in a rule.
Many thanks for your suggestion, your explanation does make sense but it's unfortunately not working.
We're running MDS so the global 'sip-tcp' object can not be edited or disabled. We have already created a replacement sip_tcp object and configured it not to reference a protocol. The security gateway has additionally been set to disable voip_multik_enable_forwarding. These steps were detailed in How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally....
Herewith snippets showing the custom service object for SIP TCP:
Herewith snippets showing the custom service object for SIP UDP:
Searching for 'where used' on the default global objects shows no reference to these in the policies:
Hrm... Restarted the security gateway and it's now working. Packet capture after the Check Point NAT shows it behaving as we want it to:
