Documente Academic
Documente Profesional
Documente Cultură
VOIP
R80.40
Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
VoIP R80.40 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
Table of Contents
Glossary 7
Securing Voice Over IP 17
Introduction to Check Point Secure VoIP 17
VoIP and the Security Gateway 17
VoIP Security Deployments 19
Use Case 1: Enterprise Deployment - Perimeter VoIP Gateway 19
Use Case 2: Enterprise Deployment - LAN Segmentation 20
Use Case 3: Service Provider Deployment 20
VoIP Technology and Standards 22
Media and Control Signals 22
Supported SIP RFCs and Standards 22
Supported MGCP RFCs and Standards 23
Supported H.323 Protocols and Standards 23
Session Initiated Protocol (SIP) 24
Introduction to SIP 24
Basic SIP Configuration 24
SIP-Specific services 24
Supported SIP Topologies and NAT Support 26
Opening Dynamic Ports for SIP Signaling 27
Sample Rule With the sip_dynamic_ports Service 28
Important Information About Creating SIP Security Rules 28
Sample SIP Rules for an Endpoint-to-Endpoint Network 29
Sample SIP Rules for a Proxy in an External Network 29
Sample SIP Rules for a Proxy-to-Proxy Topology 30
Sample SIP Rules for a Proxy in DMZ Topology 31
SIP Advanced Configuration 33
Gateway Clustering Support for SIP 33
Configuring SIP-T Support 33
SIP Protocol Anomaly Protection 34
MGCP-Based VoIP 35
Introduction to MGCP 35
MGCP-Specific services 35
Supported MGCP Topologies and NAT Support 36
Sample MGCP Packet Before NAT 37
Sample MGCP Packet After Hide NAT When Option is Disabled 37
Important Information about Creating MGCP Security Rules 38
MGCP Rules for a Call Agent in the External Network 38
Sample MGCP Rules for a Call Agent in DMZ 39
Sample MGCP Rules for a Call Agent to Call Agent 40
H.323-Based VoIP 42
Introduction to H.323 42
H.323 Specific Services 42
Supported H.323 Deployments and NAT 43
Important Information about Creating H.323 Security Rules 45
Sample H.323 Rules for an Endpoint-to-Endpoint Topology 45
Sample H.323 Rules for a Gatekeeper-to-Gatekeeper (or H.323 Gateway) Topology 46
Sample H.323 Rules for a Gatekeeper (or H.323 Gateway) in an External Network 47
Defining H.323 Rules for a Gatekeeper in DMZ Topology 48
SCCP-Based VoIP 51
Introduction to SCCP Security and Connectivity 51
SCCP-Specific Services 51
SCCP Supported Deployments 51
Important Information about Creating SCCP Security Rules 52
Sample SCCP Rules for Call Manager in Internal Network 52
Sample SCCP Rules for Call Manager in External Network 53
Sample SCCP Rules for Call Manager in the DMZ 53
Securing Encrypted SCCP 53
Configuring VoIP for Check Point Security Gateways 55
Important Information about Configuring VoIP Security Rules 55
Configuring Check Point Security Gateways in SmartConsole 55
Setting Up Your Network with Network Address Translation (NAT) 55
Configuring Inspection Settings in SmartConsole 56
Configuring VoIP Ports in SmartConsole 57
Glossary
A
Administrator
A user with permissions to manage Check Point security products and the network
environment.
API
In computer programming, an application programming interface (API) is a set of
subroutine definitions, protocols, and tools for building application software. In general
terms, it is a set of clearly defined methods of communication between various software
components.
Appliance
A physical computer manufactured and distributed by Check Point.
Bond
A virtual interface that contains (enslaves) two or more physical interfaces for
redundancy and load sharing. The physical interfaces share one IP address and one
MAC address. See "Link Aggregation".
Bonding
See "Link Aggregation".
Bridge Mode
A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.
CA
Certificate Authority. Issues certificates to gateways, users, or computers, to identify
itself to connecting entities with Distinguished Name, public key, and sometimes IP
address. After certificate validation, entities can send encrypted data using the public
keys in the certificates.
Certificate
An electronic document that uses a digital signature to bind a cryptographic public key
to a specific identity. The identity can be an individual, organization, or software entity.
The certificate is used to authenticate one identity to another.
Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.
Cluster Member
A Security Gateway that is part of a cluster.
CoreXL
A performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.
CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to
stick to a particular FWK daemon is done at the first packet of connection on a very high
level, before anything else. Depending on the SecureXL settings, and in most of the
cases, the SecureXL can be offloading decryption calculations. However, in some other
cases, such as with Route-Based VPN, it is done by FWK daemon.
CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you
can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
For details, see sk92449.
DAIP Gateway
A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the
IP address of the external interface is assigned dynamically by the ISP.
Data Type
A classification of data. The Firewall classifies incoming and outgoing traffic according
to Data Types, and enforces the Policy accordingly.
Database
The Check Point database includes all objects, including network objects, users,
services, servers, and protection profiles.
Distributed Deployment
The Check Point Security Gateway and Security Management Server products are
deployed on different computers.
Domain
A network or a collection of networks related to an entity, such as a company, business
unit or geographical location.
Expert Mode
The name of the full command line shell that gives full system root permissions in the
Check Point Gaia operating system.
External Network
Computers and networks that are outside of the protected network.
External Users
Users defined on external servers. External users are not defined in the Security
Management Server database or on an LDAP server. External user profiles tell the
system how to identify and authenticate externally defined users.
Firewall
The software and hardware that protects a computer network by analyzing the incoming
and outgoing network traffic (packets).
Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.
Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restrictive shell (role-based administration controls the number of commands
available in the shell).
Gaia Portal
Web interface for Check Point Gaia operating system.
Hotfix
A piece of software installed on top of the current software in order to fix some wrong or
undesired behavior.
ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.
Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.
IPv4
Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each
set can be from 0 - 255. For example, 192.168.2.1.
IPv6
Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
hexadecimal numbers, each set can be from 0 - ffff. For example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
Link Aggregation
Various methods of combining (aggregating) multiple network connections in parallel to
increase throughput beyond what a single connection could sustain, and to provide
redundancy in case one of the links should fail.
Log
A record of an action that is done by a Software Blade.
Log Server
A dedicated Check Point computer that runs Check Point software to store and process
logs in Security Management Server or Multi-Domain Security Management
environment.
Management Interface
Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
Gaia Security Gateway or Cluster member, through which Management Server
connects to the Security Gateway or Cluster member.
Management Server
A Check Point Security Management Server or a Multi-Domain Server.
Multi-Domain Server
A computer that runs Check Point software to host virtual Security Management Servers
called Domain Management Servers. Acronym: MDS.
Network Object
Logical representation of every part of corporate topology (physical machine, software
component, IP Address range, service, and so on).
Open Server
A physical computer manufactured and distributed by a company, other than Check
Point.
Rule
A set of traffic parameters and other conditions in a Rule Base that cause specified
actions to be taken for a communication session.
Rule Base
Also Rulebase. All rules configured in a given Security Policy.
SecureXL
Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
Gateways for significant performance improvements.
Security Gateway
A computer that runs Check Point software to inspect traffic and enforces Security
Policies for connected network resources.
Security Policy
A collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.
SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over
SSL, for secure communication. This authentication is based on the certificates issued
by the ICA on a Check Point Management Server.
Single Sign-On
A property of access control of multiple related, yet independent, software systems. With
this property, a user logs in with a single ID and password to gain access to a
connected system or systems without using different usernames or passwords, or in
some configurations seamlessly sign on at each system. This is typically accomplished
using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases
on (directory) servers. Acronym: SSO.
SmartConsole
A Check Point GUI application used to manage Security Policies, monitor products and
events, install updates, provision new devices and appliances, and manage a multi-
domain environment and each domain.
SmartDashboard
A legacy Check Point GUI client used to create and manage the security settings in
R77.30 and lower versions.
Software Blade
A software blade is a security solution based on specific business needs. Each blade is
independent, modular and centrally managed. To extend security, additional blades can
be quickly added.
SSO
See "Single Sign-On".
Standalone
A Check Point computer, on which both the Security Gateway and Security
Management Server products are installed and configured.
Traffic
Flow of data between network devices.
Users
Personnel authorized to use network resources and applications.
VLAN
Virtual Local Area Network. Open servers or appliances connected to a virtual network,
which are not physically connected to the same network.
VLAN Trunk
A connection between two switches that contains multiple VLANs.
VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a
computer or cluster with virtual abstractions of Check Point Security Gateways and
other network devices. These Virtual Devices provide the same functionality as their
physical counterparts.
VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that
provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.
SIP-Specific services
These preconfigured SIP services are available for gateways of version R80.XX or higher.
Protocol
Services Port Description
Type
sip UDP SIP_ This service enforces signal routing. Use a VoIP Domain in
5060 UDP the source or destination of a rule, together with this service.
When you use this service, registration messages are
tracked and a database is maintained that includes the
details of the IP phones and the users. If an incoming call is
made to a Hide NATed address, the Security Gateway
confirms the user exists in the SIP registration database.
This can prevent DoS attacks.
Protocol
Services Port Description
Type
sip_dynamic_ Not Not set This service allows a SIP connection to be opened on a
ports set dynamic port and not on the SIP well-known port.
sip_tls_not_ TCP None Allows SIP over TLS to pass without inspection. It requires
inspected 5061 that you open the media ports manually.
sip_tls_ TCP SIP_ SIP over non-encrypted TLS and authenticated only.
authentication 5061 TCP_ NAT is not supported for connections of this type.
PROTO
These legacy SIP services are used for gateways of version R75.40 and below, if not enforcing handover.
Do not use these services for R.80.xx (or higher).
Services Purpose
sip_ Use sip_any for VoIP equipment that uses SIP UDP.
any Do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a
Network Object, together with one of these services.
Note - If a VoIP Domain is used with this service, the packet is dropped.
Important - Do not use this service in the same rule with the sip service because they
contradict each other.
sip- Use sip-tcp_any for VoIP equipment that uses SIP TCP.
tcp_ Use this service if you do not enforce signal routing. In that case, do not place a VoIP
any Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object
together with the sip_any-tcp service.
Note - If a VoIP Domain is used with this service, the packet is dropped.
Important -Do not use this service in the same rule with the sip-tcp service because they
contradict each other.
To configure support for SIP TLS in environments where a secure solution is not available:
1. Configure Network Objects in SmartConsole for the SIP phones.
2. Configure a Network Object for the SIP proxy.
3. Configure a rule that opens all high UDP ports and TCP port 5061.
The rule below shows that the phones send data directly to each other, and not through the proxy.
Services &
No Name Source Destination VPN Action Track
Applications
Supports
Supports
NAT for
Supports NAT for
Deployment Internal Description
No-NAT Proxy -
Phones -
Static
Hide/Static
NAT
NAT
SIP Proxy Yes Yes Not n IP phones use the services of a proxy
in External applicable on the external side of the gateway.
Network n Enables the use of a proxy that is
maintained by another organization.
n Configure Hide NAT, Static NAT, or
no-NAT for the phones on the internal
side of the gateway.
Supports
Supports
NAT for
Supports NAT for
Deployment Internal Description
No-NAT Proxy -
Phones -
Static
Hide/Static
NAT
NAT
SIP Proxy Yes Yes Yes n The same proxy controls both
in DMZ endpoint domains. This makes it
possible to provide proxy services to
other organizations.
n Static NAT or no-NAT can be
configured for the proxy.
n Hide NAT, Static NAT, or no NAT can
be configured for the phones on the
internal side of the gateway.
For complete information on NAT configuration, see the R80.40 Security Management Administration
Guide.
Below are some exceptions when you use SIP with NAT:
n NAT is not supported on IP addresses behind an external Check Point gateway interface.
n Calls cannot be made from an external source to two endpoints on the trusted side of a gateway if
only one of the endpoints is NAT enabled.
n You can use Automatic NAT for other deployments.
Contact:
<sip:2001@172.16.8.3:3000;rinstance=64d25786c64e7975>;expires=3600
The rport parameter is found in the Via header field when the port is relocated.
For example:
See RFC 3581 - An Extension to the Session Initiation Protocol (SIP) for Symmetric Response Routing.
Note - Use the sip_dynamic_ports service with at least one other SIP service in a rule.
Important -You must configure anti-spoofing on the Check Point gateway interfaces for VoIP.
Note - The old policy rules are still intact for calls already in-progress and they will not be dropped.
OR
To allow bidirectional calls between SIP phones in internal and external networks:
1. Configure Network Objects (nodes or networks) for IP phones that are:
n Managed by the SIP Proxy or Registrar
n Permitted to make calls, and those calls inspected by the gateway. In the image, these are
Net_A.
2. Configure the Network Object for the SIP Proxy (SIP_Proxy).
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the
Network Object for the internal network (Net_A). See Setting up your network for Network Address
Translation.
5. Install Policy .
OR
OR
Allow bidirectional calls between phones in internal and external networks (Net_A and Net_B) and
Configure NAT for the internal phones and the proxy in the DMZ (Proxy_DMZ).
To configure bidirectional calls between phones in the internal and external networks:
1. Configure Network Objects (nodes or networks) for phones that are permitted to make calls and for
calls inspected by the gateway. These are Net_A and Net_B.
2. Configure the Network Object for the proxy (Proxy_DMZ).
3. Configure the VoIP rules.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the
Network Object for the internal network (Net_A). See Setting up your network for Network Address
Translation.
5. Install Policy .
To configure support for RFC 3372 Session Initiation Protocol for Telephones (SIP-T):
1. In the applicable $FWDIR/lib/user.def file on the Security Management Server (see sk98239), add
this line:
first_ip and second_ip are the IP addresses between which (bidirectional) SIP-T are allowed.
For example, to allow SIP-T between 192.1.1.1 and 192.1.1.2, and between 192.1.1.1 and
192.1.1.3, add this line:
MGCP-Based VoIP
Introduction to MGCP
MGCP is a protocol used to control telephone gateways from external call control devices called Call
Agents, and Media Gateway Controllers. MGCP is a master-slave protocol. The Call Agent is the master
and the endpoints are the slaves. This protocol is different from SIP and H.323 which are peer-to-peer
protocols.
With the MGCP protocol, Call Agents synchronize with each other to send commands to the devices they
control (Media Gateway). Call Agents connect directly to IP phones. The Media Gateway and IP phones
run with commands sent by the Call Agents. The image below shows the MGCP elements and call control
actions. Media Gateway and MGCP IP phones can support features such as conference calls, 3-way
brokering and supervisor inspection.
Depending on the Call Agent you use, MGCP can operate together with SIP and H.323.
MGCP-Specific services
Preconfigured MGCP-Specific Services
Protocol
Service Ports Description
Type
Protocol
Service Ports Description
Type
MGCP_ Not Not set Allows you to open an MGCP connection on a dynamic port and
dynamic_ set not on the MGCP well known port.
ports
Supports NAT
Supported
Supports for Internal
MGCP Description
No NAT Phones -
Topology
Hide/Static NAT
Call Agent Yes Yes n The IP phones use the services of a Call Agent on
in External the external side of the gateway. This enables the
Network use of a Call Agent that is maintained by another
organization.
n You can configure Hide NAT, Static NAT, or No-
NAT for the ph ones on the internal side of the
gateway.
Call Agent Yes No n The same Call Agent controls both endpoint
in the domains.
DMZ n This topology makes it possible to provide Call
Agent services to other organizations.
Notes:
Below are the following exceptions for using MGCP with NAT:
n Manual NAT rules are not supported. You must use Automatic NAT.
n If only one endpoint is NAT enabled, calls cannot be made from an external source to two endpoints
on the trusted side of a gateway.
n Bidirectional NAT of VoIP calls is not supported.
In this environment, all the internal phones are registered with the same Source IP ,194.90.147.14, and the
default MGCP source port, 2427.
Some MGCP servers can register a phone with only one IP address and port combination. As a result, only
one of the phones behind that IP address will be registered successfully on the server.
2. FromGeneral Properties > Other > Connection Persistence > Keep all connections >
OK.
Note - Rematch connections is selected by default.
Note - The old policy rules are still intact for calls already in-progress and they will not be dropped.
1. Configure the Network Objects (nodes or networks) for IP phones managed by the MGCP Call
Agent and their calls, subject to gateway inspection.
For the example in the image, these are Net_A and Net_B.
2. Configure the Network Object for the Call Agent (MGCP_Call_Agent).
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the
Network Object. See Setting up your network for Network Address Translation.
5. Install Policy .
To enable bidirectional calls between phones in internal and external networks (Net_A and Net_B):
1. Configure the Network Objects (nodes or networks) for the phones that are permitted to make calls
and their calls subject to gateway inspection. In the image, these are Net_A and Net_B.
2. Configure the Network Object for the Call Agent (Call_Agent).
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the
Network Object for the internal network (Net_A). See Setting up your network for Network Address
Translation.
5. Install Policy .
H.323-Based VoIP
Introduction to H.323
H.323 is an International Telecommunication Union (ITU) standard that specifies the components,
protocols and procedures that provide multimedia communication services, real-time audio, video, and
data communications over packet networks, including IP based networks.
H.323 registration and alternate communication occurs on UDP port 1719, and H.323 call signaling occurs
on TCP port 1720. H.323 is a peer-to-peer protocol.
The Security Gateway supports these H.323 architectural elements:
n IP phones
Devices that:
l Handle signaling (H.323 commands)
l Connect to an H.323 Gatekeeper
IP phones are Configured in SmartConsole, usually as a network of IP phones. It is usually not
necessary to Configure Network Objects for individual IP Phones.
n Standard telephones
Connect to an H.323 gateway. These are not IP devices. It is not necessary to Configure them in
SmartConsole.
n Gatekeeper
Manages a collection of H.323 devices, such as phones. A Gatekeeper converts phone numbers to
IP addresses and can provide gateway services as well.
n Gateway
Provides interoperability between different networks. The gateway translates between the
telephony protocol and IP.
Service Purpose
TCP:H323 Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and
dynamically opens ports for RTP/RTCP or T.120.
UDP:H323_ Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245
ras port if needed). Also dynamically opens and RTP/RTCP and T.120 ports.
Service Purpose
UDP:H323_ Allows only RAS ports. Cannot be used to make calls. If this service is used, no
ras_only Application Intelligence Checks (payload inspection or modification as NAT translation)
are made. Do not use if you want to perform NAT on RAS messages. Do not use in the
same rule as the H323_ras service.
Note - Make sure to use the H.323 and H.323_ras servicesin H.323 Security Gateways rules.
Supports
NAT for Supports
Supported H.323 Supports Internal NAT for
Description
Topology No NAT Phones - Gatekeeper -
Hide/Static Static NAT
NAT
Supports
NAT for Supports
Supported H.323 Supports Internal NAT for
Description
Topology No NAT Phones - Gatekeeper -
Hide/Static Static NAT
NAT
n Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an
external network (Net_B)
n Configure NAT for the internal phones
The command fw ctl arp displays the ARP proxy table on gateways that run on Windows.
On UNIX, use the arp -a command.
5. Make the time-out of the H323_ras service greater or equal to the Gatekeeper registration time-
out.
n In theManage & Settings tab, go to Blades > General , select Inspection Settings .
The Inspection Settings window opens.
n From the General tab, in the search window, enter H.323.
n The H.323 - General Settings window shows. Double-click the service. A window opens.
n Configure the Timeouts
6. Click OK.
7. Install the Security Policy.
SCCP-Based VoIP
Introduction to SCCP Security and Connectivity
SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices
called Call Agents (also known as Media Gateway Controllers).
Connectivity and network level security for SCCP-based VoIP communication is supported. All SCCP traffic
is inspected and legitimate traffic is allowed. Attacks are blocked. Other firewall gateway capabilities are
supported, such as anti- spoofing and protection against denial of service attacks.
The validity of SCCP message states is verified for all SCCP messages. For a number of key messages,
the existence and validity of the message parameters are also verified.
SCCP-Specific Services
These preconfigured SCCP services are available:
Protocol
Service Port
Type
high_udp_for_ N/A N/A Secure SCCP - Media to or from, on IP Protocol 17, ports
secure_SCCP above 1024.
Note - Supported only on Security Management Servers and
Security Gateways that run R75.40 and above.
Supported
SCCP Description
Topology
Call Manager The IP phones use the services of a Call Manager in an internal network.
in the Internal
Network
Call Manager The IP phones use the services of a Call Manager on the external side of the
in the External gateway. This topology enables the use of the services of a Call Manager that is
Network maintained by another organization.
Call Manager The same Call Manager controls both endpoint domains. This topology makes it
in the DMZ possible to provide Call Manager services to other organizations.
When an SCCP phone is turned on and identified as Secure SCCP, the phone's IP address is added to the
database of secure SCCP phones.
When RTP traffic arrives at the gateway, it is allowed only if the source or destination is in the database of
secure SCCP phones.
1. From SmartConsole, in theManage & Settings tab, go to Blades > General , select Inspection
Settings .
The Inspection Settings window opens.
2. From the General tab, in the search window, enter MGCP.
A list of Settings options shows.
3. Double-click the setting that you want to configure.
4. Make your changes and click OK.
n Hide NA
Use Hide NAT to translate one or multiple IP addresses to an IP address of a specific object (for
example, a Security Gateway), or to a specific IP address. The Security Gateway allows bi-
directional connections to establish calls for the VoIP topology. The Security Gateway blocks
connections for non-VoIP topologies.
n Static NA
Use Static NAT to translate one IP address to a specific IP address. Each IP address on one network
is translated to a different IP address on another network. Security Gateway allows connections to
and from the computers, for which you configure the Static NAT.
n No-NA
Use No-NAT to cancel the existing NAT rules.
Example: You have an internal network of computers behind a Security Gateway. To represent the
entire internal network, you create a Network Object and configure it to be NATed. An automatic
NAT rule shows in Security Policies > Access Control > NAT. Now, you want to exclude one specific
computer from this automatic NAT rule.
To do this, you have to create a Host object and configure a Manual NAT rule that translates only
this Host object to itself. You must place this Manual NAT rule above all Automatic NAT rules.
If no limitations are placed on VoIP Media Admission Control, attackers can craft control signals that:
n Open pinholes for unauthorized access
n Cause internal endpoints to send media to IP addresses of their choice
n Eavesdrop, modify, or disrupt communications
Media admission control protection is available for:
n SIP
n H.323
n SCCP
n MGCP
Media Admission Control is configured on each VoIP Server.
Predefined
Type When Sent Shows
Query
Registration Accept After successful Registration IP address, phone number, port, and
Session logs registration. transport protocol (TCP/UDP). Registration period
(seconds). IP address of the registrar server.
Other Accept After response to Source IP address, port, and phone number.
Session logs SIP requests. Destination IP address, port and phone number.
Such as: SIP method or MGCP command type.
n Message
or Update
n Response
to MGCP
commands
Call Accept After a call is Source IP address, port and phone number.
Session logs established, and Destination IP address, port and phone number.
updated after the State of call (open/closed), duration (seconds),
call is closed. direction (Inbound/Outbound), media.
(If there are multiple media streams, shows data of
the first one only.)
Policy Drop VoIP policy has Source IP address, port and phone number.
Events or detected a Destination IP address, port and phone number.
Detect violation. Reason for log (VoIP Reject Reason and VoIP
logs Reject Reason Information fields). Short
configuration guidelines.
For complete information about logs and queries, see the R80.40 Logging and Monitoring Administration
Guide.
The Security Gateway stores SIP traffic data in these kernel table:
sip_ Holds one entry for each registered internal phone. An entry is entered when the
registration registration is completed (200 OK).
Timeout: The value from the expires header field, or default.
To view a list of the online IP phones, run this command:
# fw tab -t sip_registration -f
sip_state Holds one entry for each SIP call (call-id + user tags). An entry is entered with the
first packet of the call. Each SIP call has 2 - 4 SIP connections. Calls entries remain
until the call is terminated.
Timeout: 180 seconds, and it is refreshed as long as RTP is alive (for non-Int2Int
calls).
Note that the entries are per Call-ID. B2BUA may set 2 entries per call.
To view information on current calls, run this command:
# fw tab -t sip_state -f
Output
Control connection (source, destination).
RTP connection (endpoint IP addresses).
Call state (established, ended, registration).
Media type (audio, video, audio/video, application).
Number of reinvites (number of participants in a
conference call)
sip_cseq Holds one entry per transaction (SIP request + SIP response). An entry is entered
with the SIP request.
Timeout: 40 seconds. 20 seconds for retransmissions.
sip_services Holds all the services that are defined as SIP in t0.he Rule Base.
sip_dynamic_ Holds entries for SIP communication for non-5060 port traffic.
port Timeout: The value from the expires header field or default.
fwx_sticky_ Holds port allocation entries only when you use NAT and sticky mechanism. Use
port this to translate the port consistently. Call entries remain until call is terminated.
fwx_alloc Holds port allocation entries only when you use NAT. Same entries that are
displayed in the fwx_sticky_port kernel table. Call entries remain until call is
terminated.
earlynat_ Holds five entries for each SIP UDP connection (1 entry and 1 link for each direction
sport of the connection and 1 link for Bi-Directional SIP).
The Security Gateway stores H.323 traffic data in these kernel table:
Description
h323_
Holds one entry for each registered internal phone.
registration
fwx_sticky_ Holds port allocation entries only when using NAT and sticky mechanism. Use this to
port translate the port consistently. Call entries remain until call is terminated.
The Security Gateway stores MGCP traffic data in these kernel table:
Description
mgcp_ Holds all the services that are defined as SIP in the Rule Base.
services
mgcp_ Holds entries for MGCP communication for non-MGCP well-known ports - only if
dynamic_port mgcp_dynamic_portservice is used.
mgcp_cmd Holds all the MGCP commands that take place. In MGCP SD you can add new
MGCP commands. Add new entries to this table.
mgcp_conn Holds MGCP control connections, such as sip_state kernel table. Has an entry
for each MGCP call. Call entries remain until call is terminated.
mgcp_tid Every command or transaction has its own TID (Transaction ID). Every new TIF is
added to this kernel table. There is verification that every request has a matched
response.