This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2021-04-26 05:56 AM
Jump to solution

Issues with VoIP in one of our office

Hi,

So we have one of our office which is connected to our other offices via S2S VPN. They have a Check Point 1530 running R80.20.05.

Their VoIP provider installed a server on the LAN, and it communicated with the trunk that is outside our network.

Enclosed  are the NAT rules created for them (where x.SIP.SERVER is the local device, VoIP_1x is the provider's device on internet and LU-xx-WAN-IP is our firewall's WAN IP).

The problem explained by our SIP provider, along with a suggestion :

Currently, if a call start ringing and the other party answer after more than 30 sec, the sip 200 OK is blocked by your router and the call is cancelled after 30 sec.

Could you increase udp conntrack timeout. I guess it's now setup to 30sec.
on linux, this is :
net.netfilter.nf_conntrack_udp_timeout = 30

net.netfilter.nf_conntrack_udp_timeout_stream = 180

If you could set it to 180 sec, this should be fine.

 

Do you happen to know what needs to be done on our Check Point firewall to solve their issue ?

Thanks in advance for your help

Preview file
27 KB
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2021-05-03 05:10 AM
In response to Ob1lan
Jump to solution

That is even easier - in this case, you can change this in the (duplicated) service itself that is used on the GW !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2021-04-28 09:21 AM
Jump to solution

I'm assuming the analog to this would be the virtual UDP Timeout (which is 40 seconds).
This is set in Global Properties > Stateful Inspection

G_W_Albrecht
Legend Legend
Legend
‎2021-04-30 01:19 AM
In response to PhoneBoy
Jump to solution

Check Point 1530 locally managed has it as Advanced Settings > Stateful Inspection - UDP virtual session timeout

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ob1lan
Collaborator
‎2021-05-03 03:02 AM
In response to G_W_Albrecht
Jump to solution

Unfortunately, this is centrally managed, so I don't have that setting in the list.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-05-03 05:10 AM
In response to Ob1lan
Jump to solution

That is even easier - in this case, you can change this in the (duplicated) service itself that is used on the GW !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ob1lan
Collaborator
‎2021-05-04 01:47 AM
In response to G_W_Albrecht
Jump to solution

Aahh ! I completely forgot about this ! Thanks for reminding me ! Indeed I can set a specific value for the Virtual session timeout from the service object itself 🙂

Screenshot 2021-05-04 at 10.45.55.png

Thanks a lot !!

0 Kudos
Ob1lan
Collaborator
‎2021-05-03 03:03 AM
In response to PhoneBoy
Jump to solution

Indeed, that was my guess, however changing that value from there will impact all our gateways (40+ worldwide). 

I wish there was an option to change the value only for that specific gateway...

0 Kudos
the_rock
Legend
Legend
‎2021-04-28 10:04 AM
Jump to solution

Hm, as phoneboy said you can chanhe the timeout settings, but question is really do you see any drops on the CP firewall  at all? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events