Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lullejd
Contributor

SIP Inspection / ALG

Hi,

 

Is there a formal CheckPoint document showing how to completely disable SIP inspection from both gaia and embedded gaia appliances? or something to completely confirm the status of SIP ALG?

From what was found even from community is that in order to disable SIP inspection, one needs to create a custom port for 5060 with match for any and included it in the rules. However I need to make sure that actually firewall is not doing SIP inspection.

 

Thanks in advance.

 

Senior Information Security Engineer
0 Kudos
15 Replies
the_rock
Legend
Legend

Can you share the doc you have, I want to make sure it is the correct one?

0 Kudos
lullejd
Contributor

I was looking at this:

https://community.checkpoint.com/t5/Security-Gateways/How-to-disable-SIP-ALG-inspection-in-a-specifi...

Specifically to this:

  1. Define your own UDP or TCP object without a protocol handler. For example: Name it SIP-BARE and use UDP/5600
  2. Make sure you enable "Match for Any" on your own service and disable it on the existing service.
  3. Make a rule for you own service AND!!!! make sure it is ABOVE any rule that uses the build in SIP services (which contains handlers).

Apart from that we also did this sk:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

To be honest, in my opinion there should be an official SK from CheckPoint what needs to be done in order to disable SIP inspection on both gaia and embedded at this stage.There is also this sk:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

which does not exactly specify.

 

 

Senior Information Security Engineer
0 Kudos
_Val_
Admin
Admin

Not getting this, what is missing in sk65072, in your opinion?

0 Kudos
lullejd
Contributor

For example, embedded gaia gateways (running R80.20.x), R80.40 and R81 procedures

Senior Information Security Engineer
0 Kudos
_Val_
Admin
Admin

Fair enough.

The SK is describing procedures to disable SIP inspection for performance reasons. If this is your case, and you are running R80.40 or above, you do not need to disable it. If you still want to disable, it is the same procedure for all R8x, just follow the relevant section.

If your R80.20 SMB is centrally managed, the described changes will do too. 

Now, let me ask, why do you need to disable it in the first place?

0 Kudos
lullejd
Contributor

Hi Val,

 

SIP inspection needs to be disabled since there are intermittent issue with voice and we need to make sure is not being done by checkpoint. SIP Headers will be modified directly by the PABX rather than the firewall.

Senior Information Security Engineer
0 Kudos
_Val_
Admin
Admin

FW does not modify SIP headers, but once again, follow the procedure mentioned in the above SK. 

Also, and actually before you do that, why wouldn't you ask TAC to help you figuring out the actual issue in hands?

0 Kudos
lullejd
Contributor

I've already opened a case with TAC around 2 weeks ago but given the reply I got I don't have high hopes to be honest. I asked for SIP inspection and was pointed to HTTPS inspection 🙂 That's why i'm asking here maybe someone has experienced such issues with SIP and overcome them.

Senior Information Security Engineer
0 Kudos
_Val_
Admin
Admin

Please PM me with your SR number

lullejd
Contributor

Thanks Val. Sent you pm.

Senior Information Security Engineer
0 Kudos
_Val_
Admin
Admin

Strangely enough, I do not see any message from you. would you care to send your SR to vloukine@checkpoint.com?

0 Kudos
lullejd
Contributor

Thanks Val. Sent it via email.

Senior Information Security Engineer
0 Kudos
starmen2000
Collaborator
Collaborator

Quick question. 
if predefined services are applied in any rule, but in your certain rule you applied your owd defined services, would it work so?

0 Kudos
PhoneBoy
Admin
Admin

It depends on the precise rules in your rulebase.
Refer to the following for a detailed explanation of how rulebase matching works: https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/m-p/9888#M1...
Basically, if multiple rules potentially match the same source/destination/service, where service is the specific TCP/UDP ports involved, then you might have issues if you're trying to avoid certain protocol handlers like SIP.
If you want to ensure that a certain protocol handler isn't used, then focused rules (possibly using inline layers) are key. 

0 Kudos
_Val_
Admin
Admin

Could you please elaborate? Which particular community recommendations are you trying to follow?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events