This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaurav_Pandya
Advisor
‎2017-12-13 04:13 AM

Voice connection through Firewall

Hi,

If I have a new checkpoint firewall in a remote site with only 1 rule (internal network) to ANY, Allow. (only the firewall blade is enabled, all other blades are inactive). This new connection is exclusively for VoIP connectivity to a cloud phone service. Is there any recommend or best practice rules/settings/or global properties to maximize reliability on this connection? I need to ensure that any packets destined to the 8x8 phone cloud does not get slowed or interrogated by any mechanism that might disrupt audio quality/reliability.

 We're getting some complaints in the current configuration on call quality and reliability.

Regards,

Gaurav Pandya

0 Kudos
4 Replies
Alejandro_Mont1
Collaborator
‎2017-12-13 08:01 AM

It sounds like you've got a pretty straightforward setup. I'd bet that the firewall is not to blame and something else is causing the issue provided the device is not overloaded. You can always check Tracker to see if there are any drops during the outage period.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-12-13 08:38 AM

What version of firewall code are you running?  On R77.30 all VoIP traffic can only be inspected by the lead Firewall Worker core (fw_0 - usually the highest CPU number), if you have IPSec VPN traffic present it can only be processed on that same core as well for R77.30. 

On R80.10 gateway IPSec VPN traffic can be processed on multiple Firewall Worker cores, but I don't recall any mention of VoIP inspection improvements in R80.10 gateway, so I assume the single-core VoIP inspection limitation still exists in that release.  Edit: CoreXL known limitations (sk61701) states that the VoIP single-core limitation only applies in R77.30 and lower.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Gaurav_Pandya
Advisor
‎2017-12-18 06:22 AM
In response to Timothy_Hall

Hi,

Version is R77.30 and there is no IPSEC VPN. It is simple rule. However now there is not any complains from users.

This is intermittent issue.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-12-18 08:15 AM
In response to Gaurav_Pandya

You can troubleshoot past or intermittent performance issues by running cpview in historical mode with -t, looking at sar history with -f, and by looking in dmesg/syslog.  An entirely new chapter in the upcoming Second Edition of my book covers this exact situation, explores the granularity limitations of those tools, and which one is preferred in certain situations.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top