It is a nice solution!

But it works!

THX

Afri

Is it correct to drop the rtp packets to the provider?

It is voodoo

Regards

Hanko

Yes, it is VoIP Voodoo! 

It is correct! You need a drop rule!

Regards

Heiko

We have the same problem in Switzerland. Couldn't use the 1400 appliance for VoIP and used the 3000 appliance.
Blocking outgoing RTP packets has been helpful for us.

THX
Levin

This solution solves our issue.

Nice voodoo hack.

Regards

Joerg

Check Point not VooDoo:-)

Yes, it solves pur issues.

thx

Hi,

Heiko Ankenbrand Thanks for the tip much appreciated, after following the article we can get inbound call working with two way audio on a CP1430 appliance, however outbound audio does not work at all (appears the call is established), had quite a few CP tech's take a look but no real progress, does anyone have any ideas? Any help would be much appreciated.

MM

This hack works fine!

THX

This solution  works fine.

THX

Kai

What is the UDP High Port range mentioned that we create the service for in the 600/1000/1200/1400 firewall?  Which port numbers should we be using?

We are having one-way audio issues with a Cisco CUCM environment immediately after upgrading our 5600 series cluster from R77.30 to R80.20 a couple of days ago.  We have an open support case with CheckPoint support on this matter so still working through the issue.  

Our scenario is that we don't traverse the PSTN traffic through our primary 5600 cluster; all Phone traffic is internal with the exception we have 4 small remote offices that we extend our network to.  The remote offices are 600 series models.  The only devices on the remote side are 1-2 PCs and a couple of Cisco 7900 series phones at each location.  

Because of the VPN, we see a lot of encrypt and decrypt messages in the smart logs.  When issuing the fw ctl zdebug drop command, we aren't seeing 'like fwconn_key_init_links (INBOUND)' messages or similar.

Is it likely this fix would apply to my scenario where the Call routing and call control are housed behind the 5600 cluster?  

What if the problem is OUTBOUND?

I have a centrally managed 1430 with two phones behind it. The whole network that the phones are on is hidden behind the appliance. The first phone to register functions normally but the second one does not perform NAT on SIP payload packets. The following message appears on fw ctl zdebug drop: 

dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

The GW object in SmartConsole has the interfaces correctly defined, I have tried adding the GW in the destination column of the allow rule for the SIP traffic (some SK suggested this) and the SIP protocols are defined without specific protocol, accept replies and 'match for any'.

I cannot figure out a solution for this. It just suddenly stopped working after all being good for ages.
The appliance runs on R77.20.85 - Build 751

I also had issues with VoIP (no Audio) on my 1530 FW, but once I set either:
URL Filtering only

or

On but without "Block security risk categories"

it works flawlessly!!

I thought "Block security risk categories" was based on URL filtering?

Marc

We have same issue, sip traffic works fine on R77 but now we moved traffic to R80.20 HF 141 it stopped working. Our internal edge servers with 10.10.x.x going out to (cloud) internet. So 10.10.x.x hide nat with public IP. so our Internal firewall has rule source:10.10.x.x dest: internet ports: sip 5060, 5061, udp-16384-32768. Source IP hide Nat 150.1.1.1 and our external firewall open rule from 150.1.1.1 to internet ports any. We are controlling rules on internal firewalls. Is  R80.20 hf141 is good version to support this? And do we need to change rule on internal firewall? External firewall has common rule so we don't need to change. Thanks