This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2019-07-23 08:35 AM
Jump to solution

SIP over TLS non standard ports

Starting a couple days ago I've been having problems with some of our video conferencing applications.

We use RP1cloud as our VC service. Normally we would see traffic on tcp5061 head out accepted. Now i'm seeing traffic dropped with the gateway as the target on non SIP ports alongside the normal traffic.

 

See non standard ports here. The drops are destined to our external IP, and accepts are to the VC cloud service:

2019-07-23_11h28_55.png

The drop logs show the following

In order to allow the inspection of encrypted SIP over TLS connections, please add the 'sip_tls_with_server_certificate' service to the relevant rule,
make sure that the 'sip_tls_authentication' service is removed from the rule and configure TLS on the corresponding SIP Server object

 

I found the following SK related to this VoIP Configuration message, however i'm unsure if it's viable for this situation:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve... 

 

No changes have been made on the firewall between when it was and wasn't working.

 

Anyone have thoughts on the behaviour change? I'm unsure why I'm seeing the odd TCP ports being listed in the SIP_tls_authentication service.

1 Solution

Accepted Solutions
NorthernNetGuy
Advisor
‎2019-07-23 11:04 AM
Jump to solution

Pretty easy fix. I just used the predefined 'sip_tls_not_inspected' instead of 'sip_tls_authentication' and it began working.

Not sure why it suddenly stopped working unless our vendor changed to TLS encrypted SIP.

 

I'm guessing the odd TCP port range is just how the firewall logs the dropped traffic.

View solution in original post

6 Replies
NorthernNetGuy
Advisor
‎2019-07-23 11:04 AM
Jump to solution

Pretty easy fix. I just used the predefined 'sip_tls_not_inspected' instead of 'sip_tls_authentication' and it began working.

Not sure why it suddenly stopped working unless our vendor changed to TLS encrypted SIP.

 

I'm guessing the odd TCP port range is just how the firewall logs the dropped traffic.

Linus_Espach
Participant
‎2020-02-03 04:17 AM
In response to NorthernNetGuy
Jump to solution

This didnt work for me. We have the same problem here, but even if I put services to "ANY" the connection is not allowed.

Do you have a further idea?

 

Best regards

0 Kudos
NorthernNetGuy
Advisor
‎2020-02-03 04:56 AM
In response to Linus_Espach
Jump to solution

Hi Linus,

 

Any doesn't actually match for any service, only servies that are marked as being able to be matched by any.

 

If I remember correctly neither of the SIP protocols are matched by any, so you would need to specify them or modify them to be matched by any.

 

I'd recommend making a rule specifying your sip traffic. If you are seeing your SIP traffic in your logs, is it being accepted or blocked?

Linus_Espach
Participant
‎2020-02-03 05:17 AM
In response to NorthernNetGuy
Jump to solution

Hi David,

according to the documentation, the match for any should only take place, when there are more then one service, that matches the connection:

"Match for Any: Indicates whether this service is used when 'Any' is set as the rule's service and there are several service objects with the same source port and protocol."


I have also tried to use "sips_tcp_tls_noprotocol" and "sips_tcp" but without success. The log shows drops, with stating "Encrypted VoIP signaling over TCP is not allowed" and "In order to allow the inspection of encrypted SIP over TLS connections, please add the 'sip_tls_with_server_certificate' service to the relevant rule,
make sure that the 'sip_tls_authentication' service is removed from the rule and configure TLS on the corresponding SIP Server object" but there is no such service-object.
crengifo
Explorer
‎2021-04-22 09:26 AM
In response to Linus_Espach
Jump to solution

Hi Linus,

I am having the same issue. My rule uses the following services: TCP3100-33499; gsip_tls_not_inspected; gsip_any-tcp. Seeing the logs, I found that several ports are being dropped using the gsip_tls_authentication (TCP/33227) object and so on.

Any idea how to fix it?

Thanks.

jorgefarinha
Explorer
‎2020-04-03 06:44 AM
Jump to solution

It worked for me using sip_tls_not_inspected instead of sip_tls_authentication

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events