- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello
Has anybody ever made 3CXPhone System work behind 1450 Appliance.
I tried probably billion of options found here or over the internet but 3CX firewall checker fails every time.
ports used by 3CX
SIP: TCP 5060-5061, UDP 5060
Tunnel: TCP 5090-5091, UDP 5090
RPT/WebRTC: UDP 9000-10999
WebUI: TCP 5000-5001
Server VoIP3CX services are added and set to manual access policy.
Outbound Policy: Traffic from Voip3CX (server) o the internet of any application is accepted
Inbound Policy: Traffic from any course to This Gateway on Voip3CX (services) is accepted
Manual NAT: Translate traffic from any source to this gateway on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service
Everything I could get configured is 5000-5001 (to reach the web interface from outside)
Other things do not work.
Phone System firewall checker says (briefly) :
and so on down to port 10999
I'm advanced with 3CX but pretty new to checkpoint. So any suggestion would be appreciated
With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?
what is in the logs when mapping fails?
Which log? check point or 3CX
I would assume: both. 8) Did you look at VoIP Issue and SMB Appliance (600/1000/1200/1400) already ? BAsic is sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances, this is the most important source for a working configuration of VoIP on SMB Appliances.
Can you send us both logs? Also, maybe on CP firewall while testing, do command fw ctl zdebug + drop | grep x.x.x.x (just make sure you test correct IP). It would be helpful to see if anything is getting dropped on kernel level.
Andy
I already checked guides and suggestions. Opened ticket and talked to supports. They also dont know.
There is nothing blocked or dropped. Logs show that at least 5060 is accepted by CP.
The problem is that original ports ie 5060-5061,5090-5091,9000-10999 are replaced by random ports.
I there any way to FORCE cp use original ports, without enabling deep inspection?
With manual static NAT, that should not happen. Are you sure you use SIP and not just ANY service in the rulebase?
Dude!!!
It was NOT set to ANY, but your words pushed me in right direction.
Here's config that did a magic. WAN IP in static NAT. Hide outgoing traffic and Force translate. Access from all and properly configured Policy.
All tests passed green.
I am glad it works for you now.
I have a 1550 instead of a 1450 and I am not able to find the dialogue box he showed below. Where do I prevent the firewall from changing the ports on the way back?
From your post, it looks like you have defined the Manual NAT for the Inbound portion only.
In this case, for the outbound traffic, 3CX will likely use dynamic port assignments and thus showing you the mismatched mapping.
Check if you can define Manual outbound NAT for original 3CX services.
Thanks for reply
added manual rule as
translate traffic from VoIP3CX (server) to External IP on Voip3CX (services) as if the traffic is from original source to VoIP3CX (server) on original service
nothing changed.
TAC should be able to resolve that in short RAS very quickly!
eemmm what?
He means, technical assistance should be able to help you with a short remote session. In other words, please open a support case for this.
ah ) Already did. Spent over 4 hours in zoom with technician. No result. The ticket is still open.
If you have all 3CX services used in a single NAT rule as a composite group, please try following:
Create individual NAT rules each containing a single defined service and test again.
Don't know if this could be related, but I had trouble getting a VoIP phone provided by a third party working on our network, connecting out through our firewall.
They asked for TCP/5061, which I added the service "sip_tls_authentication".
It never worked.
I found there was also a service "sip_tls_not_inspected", once I added that it worked, both are port 5061.
Not sure what the differences are other than one has a protocol associated with it the other didn't.
Jason
There is your key word "NOT INSPECTED"...that would totally explained why it worked. Technically, any service where protocol is set to "none" would not be inspected by anything or for anything. So, thats the main difference...NOT inspected. Think hard if thats what you want to use...
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY