Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gaurav_Pandya
Advisor

Voice connection through Firewall

Hi,

If I have a new checkpoint firewall in a remote site with only 1 rule (internal network) to ANY, Allow. (only the firewall blade is enabled, all other blades are inactive). This new connection is exclusively for VoIP connectivity to a cloud phone service. Is there any recommend or best practice rules/settings/or global properties to maximize reliability on this connection? I need to ensure that any packets destined to the 8x8 phone cloud does not get slowed or interrogated by any mechanism that might disrupt audio quality/reliability.

 We're getting some complaints in the current configuration on call quality and reliability.

Regards,

Gaurav Pandya

0 Kudos
4 Replies
Alejandro_Mont1
Collaborator

It sounds like you've got a pretty straightforward setup. I'd bet that the firewall is not to blame and something else is causing the issue provided the device is not overloaded. You can always check Tracker to see if there are any drops during the outage period.

0 Kudos
Timothy_Hall
Legend Legend
Legend

What version of firewall code are you running?  On R77.30 all VoIP traffic can only be inspected by the lead Firewall Worker core (fw_0 - usually the highest CPU number), if you have IPSec VPN traffic present it can only be processed on that same core as well for R77.30. 

On R80.10 gateway IPSec VPN traffic can be processed on multiple Firewall Worker cores, but I don't recall any mention of VoIP inspection improvements in R80.10 gateway, so I assume the single-core VoIP inspection limitation still exists in that release.  Edit: CoreXL known limitations (sk61701) states that the VoIP single-core limitation only applies in R77.30 and lower.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Gaurav_Pandya
Advisor

Hi,

Version is R77.30 and there is no IPSEC VPN. It is simple rule. However now there is not any complains from users.

This is intermittent issue.

0 Kudos
Timothy_Hall
Legend Legend
Legend

You can troubleshoot past or intermittent performance issues by running cpview in historical mode with -t, looking at sar history with -f, and by looking in dmesg/syslog.  An entirely new chapter in the upcoming Second Edition of my book covers this exact situation, explores the granularity limitations of those tools, and which one is preferred in certain situations.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events