Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
israelfds95
Contributor
Contributor

FULL TIPS for VOIP Passing Through Check Point

VOIP can cause a lot of issues when passing through firewalls, including Check Point devices that use SecureXL and Deep Inspections. During my three years working with Check Point, I decided to share some of the tips I've noted in my personal notes.


NOTE: I ATTACH FOR DOWNLOAD A PDF ON THIS POST WITH ALL THIS INFORMATIONS THAT I WILL DESCRIBE HERE. BEST REGARDS

1 - The default Check Point objects can trigger deep inspection inspections (those marked with Protocol).

Create a new object with only the port specified, as shown in the example below, without selecting anything under General > Protocol.

WhatsApp Image 2024-08-10 at 9.38.58 PM.jpeg

2- To pass voice via RTP, a range of high ports is used. Simply create the object and include the dash between the range. Also, make sure not to select Protocol in the General field.
WhatsApp Image 2024-08-10 at 9.45.07 PM.jpeg

3 - Increase the default session timout of some udp or tcp port can be necessary some times. For example for udp 5060 can be necessary have more than 40 seconds. Do this on Advanced inside your service object.

WhatsApp Image 2024-08-10 at 9.59.18 PM.jpeg 

4 - It is common in VOIP to need to create bidirectional rules, especially for UDP traffic. So, if you are handling UDP voice traffic, or in large IPsec site-to-site scenarios where both sides need to send and receive traffic, create bidirectional NAT and security rules as shown in the example below:

Note: There are certain topologies where this may not be necessary, so evaluate your scenario using the VOIP Admin Guide for your version, and check the section "Important Information About Creating SIP Security Rules." link bellow: 
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VoIP_AdminGuide/Topics-VOIPG/20784...

NAT POLICY
WhatsApp Image 2024-08-10 at 10.14.39 PM.jpeg

SEC POLICY

WhatsApp Image 2024-08-10 at 10.12.49 PM.jpeg

NOTE: NAT rules using masquerade types can cause issues; if possible, it’s advisable to avoid them.

5  - Even after following all the steps, you may still encounter some cases of deep inspections. In such cases, it’s worth creating fast_accel rules for the PBX IP. I usually make them bidirectional, as shown in the examples below:

SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
https://support.checkpoint.com/results/sk/sk156672

sk156672 shows examples of fast_accel rules. 

WhatsApp Image 2024-08-10 at 10.24.01 PM.jpeg

NOTE: You need enable fast_accel first with fw ctl fast_accel enable

You can create the rule pointing to a network, in which case you need to include the subnet mask:

fw ctl fast_accel add 1.1.1.1 2.2.2.0/24 80 6

You can specify the network in either the source or destination. (to be bidirectional)

You can also create rules in the following ways:

fw ctl fast_accel add any 2.2.2.2 any any

fw ctl fast_accel add 2.2.2.2 any any any

Note: The rule name must use ONLY LETTERS and no special characters.
 
6 - In the PBX, configure NAT=yes.

 

This is necessary if there is NAT configuration in the VPN tunnel's phase 2 to resolve any overlap, or if you are hiding any network for any reason in phase 2. It is also applicable if you need to handle VOIP traffic outside of an IPsec site-to-site tunnel.

WhatsApp Image 2024-08-10 at 10.31.57 PM.jpeg

 

7 - If you continue to have difficulty establishing a UDP connection for SIP, consider switching to TCP on the PBX.

Also, check if the client can establish communication on TCP 5060 instead of UDP 5060, especially if the client does not have DTMF (Dual-Tone Multi-Frequency) activated in VOIP.

Add the line transport=tcp to the configuration.

NOTE: request for the VOIP team, bellow is just an example. 

WhatsApp Image 2024-08-10 at 10.36.10 PM (1).jpeg

 

 

 

 

 

 

 




8 - 

VoIP SIP issues after upgrading Security Gateway to version R80.40 or higher with Hide NAT configured

https://support.checkpoint.com/results/sk/sk176286

WhatsApp Image 2024-08-10 at 10.38.41 PM.jpeg

9 - AS my last read the VOIP ATRG, and other references that Check Point have for VOIP, but my tips are here for all now. 

Here are some useful resources for VOIP troubleshooting and configuration with Check Point:

  • ATR VOIP: SK95369
  • SIP calls cannot be established after installing Check Point Security Gateway between SIP phones and SIP server: SK113503
  • How to disable 'fw early SIP nat' chain / SIP inspection: SK65072
  • Check Point Active Streaming (CPAS) and Passive Streaming Layer (PSL): SK44788
  • Important Information About Creating SIP Security Rules: VoIP Admin Guide (including how to create rules)
  • Community Link with a good example of VOIP troubleshooting: Community Example


Best Regards 

 

1 Reply
PhoneBoy
Admin
Admin

Thanks for sharing!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events