This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
‎2022-11-01 03:36 AM

SIP Traffic

Hi Folks,

I'm fairly new to checkpoint and have got a request to allow the SIP traffic UDP/5060, TCP/5060 and TCP/5061. Firewalls running R81.10 and Take78.

Have gone through this article and it suggests opening the data port manually along with sip_tls_not_inspected (if  sip_tls_authentication can't be used)

SIP-Specific services (checkpoint.com)

I'd like to seek your help in understanding how checkpoint processes the SIP traffic as couple of posts suggest using without the protocol handler and exempt from the IPS inspection to avoid one-way call issue.

Is it mandatory to bypass the SIP traffic from both IPS and Inspection settings?
Will the checkpoint not automatically allow the dynamic connections?
If the protocol handler isn’t set, obviously the inspection will not do. If that’s the case, why do we need to config the IPS and inspection settings bypass the SIP traffic?

Labels
0 Kudos
8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-11-01 03:43 AM

Whenever possible, use the pre-defined Services including protocol handler to be safe and sure by includong SIP in IPS and TP inspection. See also sk95369: ATRG: VoIP

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Platinum
MVP Platinum
‎2022-11-01 05:00 AM

Those are indeed all very good questions! I recall even in old days of CP, it was tricky to make this work properly, you always had to make either IPS exceptions or change service protocol "mode". I would definitely follow link @G_W_Albrecht provided and if you get stuck, open TAC case and get it fixed.

Best,
Andy
0 Kudos
SriNarasimha005
Collaborator
‎2022-11-01 06:57 AM
In response to the_rock

Hi @the_rock @G_W_Albrecht 

Thanks for the reply. Can you please help me on this as I'm unable to figure this out based on the resources available.

If the protocol handler isn’t set, obviously the inspection will not do. If that’s the case, why do we need to config the IPS and inspection settings bypass the SIP traffic?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-01 07:01 AM
In response to SriNarasimha005

The way I would approach this in the past was always run zdebug if issue was there. So say, just making this up, you have problem with ip 1.2.3.4 and port 5060, you can do something like this from expert mode -> fw ctl zdebug + drop | grep 1.2.3.4 | grep ":5060"

That will most likely tell you where issue might be coming from. By the way, you do NOT need to config anything in IPS to bypass this, UNLESS there is clear proof that IPS is dropping it.

Makes sense?

Best,
Andy
SriNarasimha005
Collaborator
‎2022-11-01 07:16 AM
In response to the_rock

Hi @the_rock 

Thanks mate.

Final one, when you refer to "do NOT need to config anything in IPS to bypass this, UNLESS there is clear proof that IPS is dropping it"

Shall I assume that you're suggesting using the pre-defined services (with protocol handler)?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-01 07:20 AM
In response to SriNarasimha005

Yes sir, good guess ; - ). technically, if you did below, it would bypass IPS.

Screenshot_1.png

Best,
Andy
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-11-02 01:49 AM
In response to SriNarasimha005

The best and most secure is using the pre-defined services (with protocol handler) - any bypass shall only be made if suggested by TAC!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Platinum
MVP Platinum
‎2022-11-02 04:20 AM
In response to G_W_Albrecht

Yes sir Gunther, very good point indeed!!

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events