Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Voice connection through Firewall

Hi,

If I have a new checkpoint firewall in a remote site with only 1 rule (internal network) to ANY, Allow. (only the firewall blade is enabled, all other blades are inactive). This new connection is exclusively for VoIP connectivity to a cloud phone service. Is there any recommend or best practice rules/settings/or global properties to maximize reliability on this connection? I need to ensure that any packets destined to the 8x8 phone cloud does not get slowed or interrogated by any mechanism that might disrupt audio quality/reliability.

 We're getting some complaints in the current configuration on call quality and reliability.

Regards,

Gaurav Pandya

0 Kudos
4 Replies
Highlighted

It sounds like you've got a pretty straightforward setup. I'd bet that the firewall is not to blame and something else is causing the issue provided the device is not overloaded. You can always check Tracker to see if there are any drops during the outage period.

0 Kudos
Highlighted

What version of firewall code are you running?  On R77.30 all VoIP traffic can only be inspected by the lead Firewall Worker core (fw_0 - usually the highest CPU number), if you have IPSec VPN traffic present it can only be processed on that same core as well for R77.30. 

On R80.10 gateway IPSec VPN traffic can be processed on multiple Firewall Worker cores, but I don't recall any mention of VoIP inspection improvements in R80.10 gateway, so I assume the single-core VoIP inspection limitation still exists in that release.  Edit: CoreXL known limitations (sk61701) states that the VoIP single-core limitation only applies in R77.30 and lower.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted

Hi,

Version is R77.30 and there is no IPSEC VPN. It is simple rule. However now there is not any complains from users.

This is intermittent issue.

0 Kudos
Highlighted

You can troubleshoot past or intermittent performance issues by running cpview in historical mode with -t, looking at sar history with -f, and by looking in dmesg/syslog.  An entirely new chapter in the upcoming Second Edition of my book covers this exact situation, explores the granularity limitations of those tools, and which one is preferred in certain situations.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos