Does Check Point support ALG for NAT?

Ricardo_Andres_ · ‎2017-07-28

Hello,

Whatsapp calls use WebRTC (STUN/ICE/TURN), a call is establish using Public IP addresses (phones are behind a hide nat), but when the call is established the communication is P2P using the phones' private IP addresses.

Is there any way on a Check Point Gateway (like an ALG support) ir order to NAT the WebRTC or SIP body (payload) and force the phones to use it's public addresss intead the private ones?

In other words: Does the CheckPoint Support Alterational of the whatsapp messages to replace the Internal IP with the Public IP?

PhoneBoy · ‎2017-07-28

Check Point can do this for SIP if appropriately configured and SIP-TLS isn't being used.

Refer to the following docs for more info: VoIP R77 Versions Administration Guide

I make and receive calls using WhatsApp all the time from behind a Check Point gateways performing HIDE NAT without any issues.

What rule(s) do you have in place to allow outbound traffic?

Ricardo_Andres_ · ‎2017-07-31

Thanks Dameon,

Whatsapp calls goes fine. But as the communication is using the mobiles' private IP addresses (when they are in the same subnet, beacuse of the WebRTC) the communication gets only the switching, so ISPs can't do accounting over this traffic.

PhoneBoy · ‎2017-07-31

It's possible WhatsApp uses SIP/TLS and implement certificate pinning in their client.

In which case, there may not be a lot you can do here.

That said, it's a use case I hadn't considered before

Are you a member of CheckMates?

Does Check Point support ALG for NAT?