This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cp-bc123
Participant
‎2019-10-16 07:00 AM
Jump to solution

Sip traffic Inspection

Hello,

 

I am fairly new to checkpoint. I am looking for commands or settings that will allow me to do following.

 

 

1- how can I check if sip traffic passing thru checkpoint is being inspected?

2- how can I clear a specific sip session from firewall session table?

3- How can I disable sip alg if there is any?

4- where should I check if sip packets are being dropped but it's not showing up in the logs? any command to verify packets are being dropped?

 

 

Thank you in advance.

2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-10-16 07:49 AM
Jump to solution

1 + 3: The best document about this is sk95369: ATRG: VoIP and for the most prominent SIP issue sk65072: How to disable 'fw early SIP nat' chain / SIP inspection

2. sk65133: Connections Table Format and sk103876 - How to manually delete an entry from the Connections Table

4. # fw ctl zdebug drop > drops.txt.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-16 11:15 AM
Jump to solution

Hi @cp-bc123,

Point 1:

If you use service SIP UDP with protocol type SIP_UDP an inspection is always done.  This service is used to enforce signal routing. Use a VoIP Domain in the source or destination of the rule, together with this service. When this service is used, registration message are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, Security Gateway verifies that the user exists in the SIP registration database. This can prevent DoS attacks. 

More read here: R80.x - Security Gateway Architecture (Content Inspection)

Debug the SIP Connection:-)

Principle all debug modules are possible for debugging with „fw ctl zdebug“.  „fw ctl debug -h“ shows all current kernel debugging options for modules and instances. You can use various combinations. Unfortunately, the commands are only mentioned in few SK's.  Try it out here.  I have described the most important ones above. 

# fw ctl zdebug + monitorall  | grep -A 10 -B10 "SIP"

More read here:
"fw ctl zdebug" Helpful Command Combinations

Point 2: 

Find the relevant connection entry that you would like to delete from the Connections Table. Delete the desired connection entry:

# fw tab -t connections -x -e DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL

The string DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL should NOT contain any spaces.

To learn more open the links of @G_W_Albrecht.

Point 3:

If you do not want to use the Check Point firewall as an application layer gateway, the protocol type in the service must be set to none and enable "match for any". 

Point 4:

# fw ctl zdebug drop | grep <IP of SIP device>

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-10-16 07:49 AM
Jump to solution

1 + 3: The best document about this is sk95369: ATRG: VoIP and for the most prominent SIP issue sk65072: How to disable 'fw early SIP nat' chain / SIP inspection

2. sk65133: Connections Table Format and sk103876 - How to manually delete an entry from the Connections Table

4. # fw ctl zdebug drop > drops.txt.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-16 11:15 AM
Jump to solution

Hi @cp-bc123,

Point 1:

If you use service SIP UDP with protocol type SIP_UDP an inspection is always done.  This service is used to enforce signal routing. Use a VoIP Domain in the source or destination of the rule, together with this service. When this service is used, registration message are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, Security Gateway verifies that the user exists in the SIP registration database. This can prevent DoS attacks. 

More read here: R80.x - Security Gateway Architecture (Content Inspection)

Debug the SIP Connection:-)

Principle all debug modules are possible for debugging with „fw ctl zdebug“.  „fw ctl debug -h“ shows all current kernel debugging options for modules and instances. You can use various combinations. Unfortunately, the commands are only mentioned in few SK's.  Try it out here.  I have described the most important ones above. 

# fw ctl zdebug + monitorall  | grep -A 10 -B10 "SIP"

More read here:
"fw ctl zdebug" Helpful Command Combinations

Point 2: 

Find the relevant connection entry that you would like to delete from the Connections Table. Delete the desired connection entry:

# fw tab -t connections -x -e DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL

The string DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL should NOT contain any spaces.

To learn more open the links of @G_W_Albrecht.

Point 3:

If you do not want to use the Check Point firewall as an application layer gateway, the protocol type in the service must be set to none and enable "match for any". 

Point 4:

# fw ctl zdebug drop | grep <IP of SIP device>

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top