0% found this document useful (0 votes)

155 views42 pages

26 - ATRG VoIP

........................

Uploaded by

Michel WA

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

155 views42 pages

26 - ATRG VoIP

........................

Uploaded by

Michel WA

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 42

ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Free Demo Contact Us Support Center Blog My Account

PRODUCTS SOLUTION SUPPORT & SERVICES PARTNERS RESOURCES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

ATRG: VoIP Technical Level

Rate This My Favorites Email Print

Solution ID sk95369

Technical Level

Product Quantum Security Gateways, ClusterXL, VSX, Cluster - 3rd party

Version All
Platform / Model All
Date Created 05-dez-2013
Last Modiﬁed 08-mar-2021

Solution
Table of Contents:

• (1) Introduction
◦ (1-1) Check Point Security Gateway
◦ (1-2) SIP
▪ (1-2-A) SIP Description
▪ (1-2-B) SIP Entities
▪ (1-2-C) Types of SIP Messages
▪ (1-2-D) SIP Requests
▪ (1-2-E) SIP Responses
▪ (1-2-F) SIP Messages
▪ (1-2-G) Session Description Protocol (SDP)
▪ (1-2-H) SIP Architecture
▪ (1-2-I) SIP Example
◦ (1-3) H.323
▪ (1-3-A) H.323 Description
▪ (1-3-B) H.323 Architecture
▪ (1-3-C) H.323 Communication
▪ (1-3-D) Real-Time Transport Protocol (RTP)
▪ (1-3-E) Real-Time Transport Control Protocol (RTCP)
▪ (1-3-F) RAS - Registration, Admission, and Status
▪ (1-3-G) H.323 Typical Stack
▪ (1-3-H) H.323 Supported Protocols
▪ (1-3-I) H.323 Example
◦ (1-4) MGCP
▪ (1-4-A) MGCP Description
▪ (1-4-B) MGCP Characteristics
▪ (1-4-C) MGCP Components
▪ (1-4-D) MGCP and SIP / H.323
▪ (1-4-E) MGCP Example
◦ (1-5) SCCP (Skinny)
▪ (1-5-A) SCCP (Skinny) Description
◦ (1-6) Windows Messenger
▪ (1-6-A) Windows Messenger Description
• (2) Check Point Speciﬁcations
• (3) Check Point Deﬁnitions
• (4) Relevant ports
◦ (4-1) SIP
◦ (4-2) H.323
◦ (4-3) H.245 Call Parameters
◦ (4-4) MGCP
◦ (4-5) SCCP (Skinny)
◦ (4-6) Windows Messenger
• (5) Supported VoIP Deployments
◦ (5-1) SIP
◦ (5-2) H.323
◦ (5-3) MGCP
◦ (5-4) SCCP (Skinny)
• (6) Relevant Check Point services
◦ (6-1) SIP
◦ (6-2) H.323
◦ (6-3) MGCP
◦ (6-4) SCCP (Skinny)
◦ (6-5) MSNMS (Windows Messenger)
◦ (6-6) UDP
• (7) Relevant Check Point Security rules
◦ (7-1) SIP
▪ (7-1-A) Peer-to-Peer No-Proxy Topology
▪ (7-1-B) Proxy in an External Network
▪ (7-1-C) Proxy-to-Proxy Topology

1 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

▪ (7-1-D) Proxy in DMZ Topology

◦ (7-2) H.323
▪ (7-2-A) Endpoint to Endpoint
▪ (7-2-B) Gatekeeper to Gatekeeper
▪ (7-2-C) Gateway to Gateway
▪ (7-2-D) Gatekeeper in External Network
▪ (7-2-E) Gateway in External Network
▪ (7-2-F) Gatekeeper in DMZ
▪ (7-2-G) Gateway in DMZ
◦ (7-3) MGCP
▪ (7-3-A) Call Agent in External Network
▪ (7-3-B) Call Agent in DMZ
▪ (7-3-C) Call Agent to Call Agent
◦ (7-4) SCCP (Skinny)
▪ (7-4-A) SCCP over TCP
▪ (7-4-B) Secure SCCP
• (8) Relevant Check Point NAT rules
◦ (8-1) SIP
◦ (8-2) H.323
◦ (8-3) MGCP
◦ (8-4) SCCP (Skinny)
• (9) Relevant Check Point kernel tables
◦ (9-1) SIP
◦ (9-2) H.323
◦ (9-3) MGCP
• (10) Check Point Security Gateway and VoIP traffic
◦ (10-1) SecureXL
◦ (10-2) CoreXL
◦ (10-3) ClusterXL
◦ (10-4) SIP interoperability with NAT
◦ (10-5) VoIP protections and IPS
• (11) Troubleshooting VoIP traffic on Check Point Security Gateway
◦ (11-1) Things that can go wrong
◦ (11-2) General action plan
• (12) Debugging Check Point Security Gateway
◦ (12-1) Syntax
◦ (12-2) Action plan
◦ (12-3) Modules and Flags
• (13) Debug instructions
◦ (13-1) Issues with SIP over UDP traffic
◦ (13-2) Issues with SIP over TCP traffic
◦ (13-3) Issues with H.323 traffic
◦ (13-4) Issues with SCCP (Skinny) traffic
◦ (13-5) Issues with Windows Messenger traffic
• (14) Overview of SmartView Tracker logs
◦ (14-1) All protocols
◦ (14-2) SIP
◦ (14-3) H.323
◦ (14-4) MGCP
◦ (14-5) SCCP (Skinny)
◦ (14-6) MSN over SIP
• (15) Documentation
◦ (15-1) Check Point Release Notes
◦ (15-2) Check Point Administration Guides
◦ (15-3) RFC
◦ (15-4) External references
• (16) Related solutions and documents
◦ (16-1) Configuration
◦ (16-2) Troubleshooting
◦ (16-3) Additional references
• (17) Revision history

(1) Introduction
For more details, refer to the Documentation section.

Note: For Locally Managed 600, 700, 1100, 1200R, 1400 appliances, refer to sk113573 - Conﬁguring VoIP on Locally Managed 600 / 700 / 1100 / 1200R / 1400 appliances.

(1-1) Check Point Security Gateway

Check Point Security Gateway secures VoIP trafﬁc in SIP, H.323, MGCP and SCCP environments. VoIP calls involve a whole series of complex protocols, each of which can carry potentially threatening
information through many ports.

Check Point Security Gateway veriﬁes that caller and receiver addresses are located where they are supposed to be, and that the caller and receiver are allowed to make and receive VoIP calls. In
addition, Check Point Security Gateway examines the contents of the packets passing through every allowed port, to verify that they contain proper information. Full stateful inspection on SIP, H.323,
MGCP and SCCP commands ensure that all VoIP packets are structurally valid, and that they arrive in a valid sequence.

The following ﬁgure is a general overview of the VoIP protocols supported by Check Point Security Gateway:

2 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

(1-2) SIP

(1-2-A) SIP Description

SIP (Session Initiation Protocol) is a Voice over IP protocol, transported over UDP and TCP. It is an Application Layer control protocol used for creating, modifying, and terminating sessions with one or
more participants.

SIP employs design elements similar to the HTTP request/response transaction model. Each transaction consists of a client request that invokes a particular method or function on the server and at
least one response. SIP reuses most of the header ﬁelds, encoding rules and status codes of HTTP, providing a readable text-based format.

Each resource of a SIP network, such as a user agent or a voice mail box, is identiﬁed by a uniform resource identiﬁer (URI), based on the general standard syntax also used in Web services and e-mail. A
typical SIP URI is of the form 'sip:username:password@host:port'. The URI scheme used for SIP is 'sip:'.

If secure transmission is required, the scheme 'sips:' is used and mandates that each hop, over which the request is forwarded up to the target domain, must be secured with Transport Layer Security
(TLS).

SIP works in concert with several other protocols and is only involved in the signaling portion of a communication session.

SIP is primarily used in setting up and tearing down voice or video calls. It also allows modiﬁcation of existing calls.

SIP clients typically use TCP or UDP on port numbers 5060 and/or 5061 to connect to SIP servers and other SIP endpoints. Port 5060 is commonly used for non-encrypted signaling trafﬁc, whereas port
5061 is typically used for trafﬁc encrypted with Transport Layer Security (TLS).

(1-2-B) SIP Entities

• SIP User Agents (SIP Phones)

◦ Client - initiates SIP signalling (UAC)

◦ Server - responds to the SIP signalling from the Client (UAS)

• SIP Gateways

◦ To PSTN for telephony interworking

◦ To H.323 for IP telephony interworking
◦ etc.

• SIP Servers (Proxy, Registrar, Redirect, Location, etc.)

◦ Proxy server - decides next hop and forwards request

◦ Registrar server - accepts REGISTER requests from clients
◦ Redirect server - receives connection requests from the User Agents and sends them back to the requester including destination data instead of sending them to the calling party (or
another proxy server if the particular station is not in its administration)
◦ Location Server - receives registration requests from the User Agents and updates the terminal database with them (server is used to locate SIP users or to forward messages)

All server sections (Proxy, Redirect, Location) are typically available on a single physical machine called proxy server, which is responsible for client database maintenance, connection establishing,
maintenance and termination, and call directing.

(1-2-C) Types of SIP Messages

There are two types of SIP messages:

• Requests - Sent from the Client to the Server.

• Responses - Sent from the Server to the Client.

Request + Response = Transaction. Transactions are identiﬁed by the value in the 'Cseq' (Command Sequence) header ﬁeld.

(1-2-D) SIP Requests

• REGISTER - Registers / un-registers a speciﬁc address with the SIP server.

• INVITE - Initiates a call.

3 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

• ACK - Conﬁrms a ﬁnal response for INVITE.

• BYE - Terminates (and transfers) a call.

• CANCEL - Cancels pending requests (searches and "ringing").

• OPTIONS - Queries the capabilities of the other side.

• SUBSCRIBE - Subscribes / un-subscribes to a particular state.

• NOTIFY - Returns current state information.

• INFO - Sends mid-session information (ISUP). Does not modify session state.

• UPDATE - Updates the remote target of a dialog (re-INVITE).

• MESSAGE - Carries instant messages in the request body.

• REFER - Asks recipient to issue a SIP request (call transfer).

• etc.

(1-2-E) SIP Responses

• 1xx: Provisional - Request received, continuing to process the request (e.g.: 100 Trying, 180 Ringing, 181 Call Forwarded, 182 Queued, 183 Session Progress)

• 2xx: Success - Action was successfully received, understood, and accepted (e.g.: 200 OK)

• 3xx: Redirection - Further action needs to be taken in order to complete the request (e.g.: 301 Moved Permanently, 302 Moved Temporarily, 305 Use Proxy, 380 Alternative Server)

• 4xx: Client-Error - The request contains bad syntax or cannot be fulﬁlled at this server (e.g.: 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 405 Bad Method, 407 Proxy
Authentication Required, 415 Unsupported Content, 420 Bad Extensions, 486 Busy Here)

• 5xx: Server-Error - The server failed to fulﬁll an apparently valid request (e.g.: 500 - Server Internal Error, 501 Not Implemented, 503 Unavailable, 504 Timeout, 513 Message Too Large)

• 6xx: Global-Failure - The request cannot be fulﬁlled at any server (e.g.: 600 Busy Everwhere, 603 Decline, 604 Does Not Exist Anywhere, 606 Not Acceptable)

Additional details:

• Final Response - Terminates a SIP transaction. 2xx, 3xx, 4xx, 5xx and 6xx responses are ﬁnal. Exactly one non-2xx ﬁnal response may be sent for a request.

• Provisional response - Does not terminate a SIP transaction, followed by a ﬁnal response. Multiple provisional responses may arrive before ﬁnal response is received. Provisional responses for an
INVITE request can create "early dialogs". 1xx is a provisional response.

(1-2-F) SIP Messages

SIP messages comprise the following three parts:

1. Start Line

• Request-line (requests) - Includes a Request URI, which indicates the user or service, to which this request is being addressed (e.g., INVITE sip:[email protected]:5060 SIP/2.0).

• Status-line (responses) - Holds the numeric Status-code and its associated textual phrase (e.g., SIP/2.0 200 ok).

2. Headers

• SIP header ﬁelds are similar in syntax and semantics to HTTP header ﬁelds. Each header take the format of '<name>: <value> \r\n' (e.g., Call-ID: 11269877456 Cseq: 3 REGISTER).

• The headers ends with '\r\n\r\n'.

3. Body (Content) - optional

• The body of the SIP message starts after headers (\r\n\r\n).

• The body of the SIP message may be used to contain opaque data from any kind.

• Its length and type are presented in the 'Content Length' and 'Content Type' header ﬁelds (e.g., Content Type: application\sdp Content Length: 220).

Content type:

◦ SDP (Session Description Protocol) - Used to describe the session to be initiated (audio and video codec types, sampling rates, etc.).

◦ Text - The Message body may be used to contain opaque textual data. For example, in case of SIP Message.

◦ Others (e.g., attachments).

(1-2-G) Session Description Protocol (SDP)

SDP is the protocol used to describe multimedia session announcement, multimedia session invitation and other forms of multimedia session initiation. A multimedia session is deﬁned, for these

4 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

purposes, as a set of media streams that exist for a duration of time.

SDP packets usually include the following information:

• Session information
◦ Session name and purpose
◦ Time(s) the session is active
Since the resources necessary for participating in a session may be limited, it would be useful to include the following additional information:
◦ Information about the bandwidth to be used by the session
◦ Contact information for the person responsible for the session
• Media Information
◦ Type of media, such as video and audio
◦ Transport protocol, such as RTP/UDP/IP and H.320
◦ Media format, such as H.261 video and MPEG video
◦ Multicast address and Transport Port for media (IP multicast session)
◦ Remote address for media and Transport port for contact address (IP unicast session)

(1-2-H) SIP Architecture

• Peer-to-Peer

• Outbound Proxy

• VoIP to PSTN

• PSTN to VoIP

• Proxy mode

5 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

• Redirect mode

(1-2-I) SIP Example

• Example 1:

Connection establishing and terminating procedures in the SIP proxy server environment:

• Example 2:

Very simpliﬁed form how some of SIP logical entities use messages to interact - in this case to set up a voice call from a PC (softphone) to a hardware SIP VoIP phone.

6 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

1. User Agent: 'X in SIP domain A wants to call Y in SIP domain B'
2. Proxy Server: 'Where to call setup requests for domain B go?'
3. Redirect Server: 'Send call setup requests to domain B Proxy Server
at address enclosed in this response message'
4. Proxy Server: 'Call setup request for B'
5. Proxy Server: 'Where is B?'
6. Registrar Server: 'B is at address enclosed in this response message'
7. Proxy Server: 'Call notification'
8. Response
9. Response
10. Response
If the call setup is successful (Y is free to take the call), then a media path
using RTP is established between X and Y and the connected parties can start to talk.

(1-3) H.323

(1-3-A) H.323 Description

H.323 is an ITU (International Telecommunication Union) standard that speciﬁes the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and
data communications over packet networks, including Internet Protocol (IP) based networks.

H.323 call signaling is based on the ITU-T Recommendation Q.931 protocol and is suited for transmitting calls across networks using a mixture of IP, PSTN, ISDN, and QSIG over ISDN. A call model,
similar to the ISDN call model, eases the introduction of IP telephony into existing networks of ISDN-based PBX systems, including transitions to IP-based PBXs.

H.323 registration and alternate communication occurs on UDP port 1719, and H.323 Call signalling occurs on TCP port 1720.

(1-3-B) H.323 Architecture

The H.323 components are terminal, gateway, gatekeeper, Multipoint Control Units (MCUs) and Border Elements:

Note: terminal, gateway, gatekeeper are referred to as "endpoints".

• Terminals represent the endpoints of each H.323 connection and can be realized in hardware or software. The audio transmission via G.711 and support by the control protocols H.245, H.225 and
RAS are mandatory. The use of other audio codes and the option to transfer video and data are optional. If these additional services are offered, certain codes have to be used.

If several codecs are available for the same kind of data, the codec to be used is negotiated at the beginning of a connection via H.245. Each communication begins and ends with an H.323 terminal,
whereby several audio and video connections are possible simultaneously. Coding and decoding can take place in asymmetric operation even with various codecs.

Examples:
◦ Telephones
◦ Video phones
◦ IVR devices
◦ Voicemail Systems
◦ "Soft phones"

• Gateways establish the connection in other networks, i.e., gateways connect the H.323 network with the switched network of PBXs and Central Ofﬁce switches. Gateways are optional components
of H.323 topology. The function of the gateways is to convert the various data formats in transport, process control and audio/video processing. Data communication of the gateways with the
terminals is via H.245 and H.225. Some of the gateway functions are not exactly speciﬁed in H.323 and are left up to the manufacturer, for example, the maximum number of connected terminals,
the maximum number of connections to other networks, the number of simultaneously independent conferences as well as the supported conversion and multipoint functions.

• Gatekeepers take over the task of translating between telephone number, e.g., in accordance to the E.164 numbering standard, and IP addresses. Gatekeepers take over various control and
management functions within an H.323 zone and also belong to the optional components. If a gatekeeper exists, its services have to be used by the terminals. Per H.323 zone only one gatekeeper
is permitted. The two main tasks of the gatekeeper are address conversion and bandwidth management. The address conversion function serves to control the connection; bandwidth management
is designed to avoid overload situations. Both functions are realized via the RAS protocol deﬁned in H.225.0. The network administrator is able to allocate a part of the total bandwidth to H.323
connections and release the rest for other applications. If the preset limit has been reached, the gatekeeper rejects further connection requests from terminals or an increase in bandwidth for
already existing connections, and prevents network overloads. The criteria to determine whether bandwidth is available is not the subject matter of H.323.

As the gatekeeper also takes over access control of the terminals via RAS, it can also reject connections if individual terminals are not authorized.

Finally the gatekeeper can also play a role by receiving and routing the H.245 channels in connections between two users. If the conference is extended to three or more users the gatekeeper
routes the H.245 control channels to a multipoint controller which then takes over the task of controlling the conference.

The H.323 standard deﬁnes mandatory and optional gatekeeper functions as described below:

7 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

A. Mandatory functions
◦ Address Translation - Translate H.323 IDs (such as [email protected]) and E.164 numbers (standard telephones numbers) to endpoint IP addresses
◦ Admission Control - Controls endpoint admission into the H.323 network. To achieve this, the gatekeeper uses the following:
▪ H.225 Registration, Admission, and Status (RAS) messages
▪ Admission Request (ARQ)
▪ Admission Conﬁrm (ACF)
▪ Admission Reject (ARJ)
◦ Bandwidth Control - Consist of managing endpoint bandwidth requirements. To achieve this, the.gatekeeper uses the following H.225 RAS messages:
▪ Bandwidth Request (BRQ)
▪ Bandwidth Conﬁrm (BCF)
▪ Bandwidth Reject (BRJ)
◦ Zone Management - The gateway provides zone management for all registered endpoints in the zone. For example, controlling the endpoint registration process.

B. Optional functions
◦ Call Authorization - With this option, the gateway can restrict access to certain terminals or gateways and/or have time-of-day policies restrict access.
◦ Call Management - With this option, the gateway maintains active call information and uses it to indicate busy endpoints or redirect calls.
◦ Bandwidth Management - With this option, the gateway can reject admission when the required bandwidth is not available.
◦ Call Control Signaling - With this option, the gateway can route call-signaling messages between H.323 endpoints using the Gatekeeper-Routed Call Signaling (GKRCS) model.
Alternatively, it allows endpoints to send H.225 call-signaling messages directly to each other.

Each Gatekeeper involved in the call can choose one of the two possible routing modes:
◦ Direct - During the Admission the Gatekeeper indicates that the endpoints can exchange call-signaling messages directly. .The endpoints exchange the call signaling on the call-signaling
channel.

◦ Gatekeeper routed - The admission messages are exchanged between the endpoint and the Gatekeeper on the RAS channel. The Gatekeeper receives the call-signaling messages from one
endpoint and routes them to the other endpoint.

• Multipoint Control Units (MCUs) are used in the case of conferences with more than two users. They ensure that connections are properly setup and released, that audio and video are mixed, and
that the data are distributed among the conference. Each of the H.323 terminals sends its data to the MCU. An MCU consists of a Multipoint Controller (MC) and any number of Multipoint
Processors (MP). The Multipoint Controller (MC) takes care of the H.245 and negotiating the general functions for audio and video processing and controls the resources by determining which data
flows are to be transmitted by the MP(s). Multipoint Processors (MPs) receive media streams from conference participants, processes them and distributes media streams to the terminals in the
conference. Video processing refers to all algorithms and formats, audio processing only to the algorithms, data processing only to the flows. In video processing by Multipoint Processors (MP),
switching and mixing is also required. Switching ensures that a certain data flow is sent if several data flows are available (for example, with the matching video sequences, if the speaker in a
conference changes identified by an audio signal, or if a change is requested via H.245). Mixing allows several data flows to be combined, whereby the image created is split into several segments
and re-coded.

Multipoint Processors (MPs) also perform audio switching and mixing. Incoming signals are decoded in a standard procedure according to Pulse-Code Modulation (PCM) or analogously, combined
in a suitable way and then coded in the desired audio format. In this combination interference signals and ancillary noises can be diminished.

An individual combination of the incoming audio data can be supplied to each user whereby private communication is enabled within conferences. The audio data transmitted should not be
contained in the audio data received. Multipoint Controller (MC) and Multipoint Processor (MP) can be co-located with other components, e.g., with H.323 terminals.

The H.323 standard makes the distinction between callable and addressable end devices: all components are addressable; gatekeepers are, however, not callable.

• Border Elements, which are often co-located with a Gatekeeper, exchange addressing information and participate in call authorization between administrative domains. Border Elements may
aggregate address information to reduce the volume of routing information passed through the network, may assist in call authorization/authentication directly between two administrative
domains or via a clearinghouse.
Peer elements are like "border elements", but reside within the interior of the administrative domain.

• Zone is the collection of H.323 nodes such as Gateways, Terminals, and MCUs registered with the Gatekeeper.
◦ There may be more than one physical Gatekeeper device that provides the logical Gatekeeper functionality for a zone.
◦ There can only be one active Gatekeeper per zone.
◦ These zones can overlay subnets and one Gatekeeper can manage Gateways in one or more of these subnets.
◦ The physical location of the Gatekeeper with respect to its endpoints is immaterial.

H.323 Components summary:

(1-3-C) H.323 Communication

The four components (terminal, gateway, gatekeeper, Multipoint Control Units (MCUs)) communicate by exchanging information ﬂows among each other. These are split into ﬁve categories:

• Audio (digitized and coded) voice

8 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

• Video (digitized and coded full-motion image communication)

• Data (ﬁles such as text documents or images)
• Communication control (exchange of supported functions, controlling logical channels, etc.)
• Controlling connections (connection setup and connection release, etc.)

The key function of H.323 components is to exchange information flows. A distinction is made between audio, video and data flows, which are processed with certain codecs. All three information flows
are transmitted via logic channels in accordance with H.225.0 standard:

• Audio transmission has to be supported by the H.323 terminals via G.711 codec. G.711 was originally designed for ISDN networks with fixed transmission rates, and has an output of 64 kbit/s.
Although feasible in most LAN environments, G.711 cannot be used on low bandwidth links. Therefore, ITU-T specified G.723 is a preferred codec due to its exceptional compression of voice to
5.3-6.3 kbit/s. Further optional audio codecs are G.722, G.728, G.729 and MPEG1, all of them offering benefits for certain environments and applications.

The H.323 endpoints can support any of these codecs, and can advertise and negotiate the usage of these codecs in communications to other endpoints.

• Video transmission is an optional function of H.323 terminals. If it is supported it has to be handled via the ITU-T standards H.261 and optionally via H.263. The H.261 standard uses transmission
rates of N x 64 kBit/s (N = 1, 2, ... 30) and can therefore for example use several ISDN channels. H.261 uses intra- and inter-frame coding similar to MPEG. Motion compensation is an optional
function.

The more recent H.263 standard is compatible with H.261, but features by far better image quality as a result of 1/2 Pixel Motion Estimation, Predicted Frames and is also suitable for lower
transmission rates. H.263 deﬁnes ﬁve image formats. The interaction with H.261 takes place via the QCIF format supported by both.

• For a transmission of data between endpoints, the H.323 standard refers to the ITU-T T.120 standard that can be used for various applications in the ﬁeld of Collaborative Work, such as White-
boarding, Application Sharing, and joint document management. T.120 is independent of the operating system and transport protocol and is supported by more than 100 companies.

The characteristics of T.120 comprise:

◦ Multipoint data conferences
◦ Transmission with error correction and acknowledgement of receipt, control of certain package sequences at the receiving station - also from different transmitting stations
◦ Independent of the underlying transmission layer (LAN, modem ...) and of the network (POTS, ISDN, CSDN, LAN)
◦ Interoperability and platform independence
◦ Support of heterogeneous topologies (star, cascading, series connection ...)
◦ Scalability (PC to multiprocessor), standard compatibility (e.g., to H.320) and future reliability (ATM, Frame-Relay, security aspects)

T.120 utilizes layer architecture similar to the ISO/OSI layer model: top layers (T.126, T.127) are based on the services of lower layers (T.121 to T.125) and contain protocols for special conference
applications such as common notebook (White-board) or multipoint ﬁle transmission.

(1-3-D) Real-Time Transport Protocol (RTP)

H.323 is directed at networks without special service quality. For the transmission of real-time data, such as audio or video, additional mechanisms are introduced to guarantee successful
communication. H.225.0 protocol therefore refers to the Real-time Transport Protocol (RTP) from the Internet Engineering Task Force (IETF). RTP is speciﬁed in RFC 1889 and 1890, and enables ascertain
real time compatibility. If used under the TCP/IP protocol family RTP is based on UDP, and marks the UDP/IP packets with a time stamp and a sequence number. The receiving station is therefore able to
sort incoming packets and play them in the correct sequences. In case a packet gets lost during transmission, RTP can play the previous packet instead of re-transmitting. Since voice and video are time
critical applications, re-transmitting packets would take too long and be of no use. RTP also identiﬁes duplicated packets, and plays only one of the copies.

To distinguish between different RTP connections the contents of the package can be described via the ﬁeld Payload Type. An optimal supplement to RTP is the Real-time Transport Control Protocol
(RTCP) which contains all control functions of RTP. RTP was designed as open and versatile protocol and therefore functions not only with IP, but also with other protocols, such as IPX, CLNP or ATM
(AAL5). RTP supports not only Unicast, but also Multicast, e.g., it can be employed in multicast enabled networks.

It is important to underline the fact that RTP neither guarantees certain transmission rates nor voice quality or an error-free transmission. The receiving station is enabled to identify faulty or incomplete
transmissions and reacts to them with suitable methods.
These are, for example:

• Omitting faulty data

• Balancing package errors by duplicating the previous packets
• Renewed request if too many missing packets are received via RTCP

(1-3-E) Real-Time Transport Control Protocol (RTCP)

Real-time Transport Control Protocol (RTCP) is the counterpart of Real-Time Transport Protocol (RTP) that provides control services. The primary function of RTCP is to provide feedback on the quality of
the data distribution. Other RTCP functions include carrying a transport-level identiﬁer for an RTP source, called a canonical name, which is used by receivers to synchronize audio and video.

(1-3-F) RAS - Registration, Admission, and Status

RAS is used between the endpoint and its Gatekeeper in order to:

• Allow the Gatekeeper to manage the endpoint

• Allow the endpoint to request admission for a call
• Allow the Gatekeeper to provide address resolution functionality for the endpoint

RAS signaling is required when a Gatekeeper is present in the network (i.e., the use of a Gatekeeper is conditionally mandatory).

RAS messages generally have three types:

• Request (xRQ)
• Reject (xRJ)
• Conﬁrm (xCF)

Exceptions are:

◦ Information Request (IRQ) / Information Response (IRR) / Ack / Nak

◦ The "nonStandardMessage"
◦ The "unknownMessage" response
◦ Request In Progress (RIP)
◦ Resource Availability Indicate (RAI) / Resource Availability Conﬁrm (RAC)
◦ Service Control Indication (SCI) / Service Control Response (SCR)

9 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Typically, RAS communications is carried out via UDP through port 1719 (unicast) and 1718 (multicast). For backward compatibility sake, an endpoint should be prepared to receive a unicast message on
port 1718 or 1719. Only UDP is deﬁned for RAS communications. Gatekeeper Request (GRQ) and Location Request (LRQ) may be send multicast, but are generally sent unicast. All other RAS messages
are sent unicast.

Let us review some RAS messages:

• Gatekeeper Request - GRQ

◦ When an endpoint comes to life, it should try to “discover” a gatekeeper by sending a GRQ message to a Gatekeeper:
▪ Address of a Gatekeeper may be provisioned
▪ The endpoint may send a multicast GRQ
▪ Address of a Gatekeeper may be found through DNS queries (Annex O/H.323)
◦ There may be multiple Gatekeepers that could service an endpoint, thus an endpoint should look through potentially several GCF/GRJ messages for a reply.

• Gatekeeper Reject - GRJ

◦ If a Gatekeeper does not wish to provide service to the endpoint, it will generally send a GRJ message to the endpoint:
▪ As a security consideration to avoid DoS attacks, one might want to consider ignoring requests from unknown endpoints
◦ The GRJ message will carry one of several rejection reasons.

• Gatekeeper Conﬁrm - GCF

◦ If the Gatekeeper wishes to provide service to the endpoint, it will return a GCF message.
◦ The GCF message will contain a number of data elements that will later be used by the endpoint.

• Gatekeeper Registration - RRQ

◦ Once a Gatekeeper has been "discovered", the endpoint will then register with the Gatekeeper in order to receive services.
◦ Communication is exclusively via port 1719 (unicast).
◦ endpoint will send an RRQ and expect to receive either an RCF or RRJ.
◦ Reception of an RRJ simply means that the endpoint will not receive services from the Gatekeeper, not that the endpoint cannot communicate on the network.
◦ During the registration process, the Gatekeeper will assign an "endpoint identiﬁer" to the endpoint, which is to be used during subsequent communications with the Gatekeeper.
◦ The endpoint will supply a list of endpoint alias addresses and the Gatekeeper will indicate which ones it accepts.
◦ The Gatekeeper may grant the endpoint permission to place calls without using the ARQ/ACF exchange (called "pre-granted ARQs").
◦ The endpoint will indicate a "time to live" and the Gatekeeper may accept that or a lower TTL value.
◦ Lightweight RRQs:
▪ The "time to live" indicated in the RRQ tells the Gatekeeper when it may freely unregister the endpoint due to inactivity.
▪ The endpoint may renew its registration by sending either a full RRQ message or a "lightweight RRQ" (LW RRQ).
▪ The LW RRQ message only contains a few elements and is only intended to refresh the endpoint's registration.

• Admission Request - ARQ

◦ Once registered with a Gatekeeper, the endpoint may only initiate or accept a call after first requesting "admission" to the Gatekeeper via the ARQ message (except in the case that "pre-
granted ARQs" is in use).
◦ The Gatekeeper may accept (ACF) or reject (ARJ) the request to place or accept a call.
◦ The endpoint will indicate the destination address(es) and the Gatekeeper may (if "canMapAlias" is true) return an alternate set of destination addresses.
◦ The endpoint uses a unique Call Reference Value (CRV) between itself and the Gatekeeper to refer to this call (link significant).
◦ The endpoint will provide a Call Identifier (CallID), which is a globally unique value.
◦ The endpoint will indicate a Conference Identifier (CID), or 0 if the Conference Identifier is not known:
▪ This is unique if the call is point to point
▪ This value is shared by all participants in the same multipoint conference
▪ Some devices do not properly handle CID=0
◦ The endpoint will indicate the desired bandwidth and the Gatekeeper may adjust that value to a lower value.
◦ The endpoint will indicate whether it is originating or answering a call.

Reference Values:

◦ Call Reference Value - CRV

▪ 16 bit integer that is link significant
▪ Most significant bit indicates the direction of the call (0=originator, 1=terminator)
▪ CRV used in the ARQ to originate a call must be the subsequent SETUP message (interoperability with version 1)
▪ CRV used in ARQ to answer a call does not have to be the same as that received in SETUP
◦ Conference Identifier - CID
▪ A Globally unique (UUID or GUID) identifier that is shared by all participants in the same conference
◦ Call Identifier - CallID
▪ A globally unique (UUID or GUID) identifier that is unique to that particular call

• Location Request - LRQ

◦ The LRQ message is sent by either an endpoint or a Gatekeeper to a Gatekeeper in order to resolve the address of an alias address (e.g., to turn a telephone number into an IP address).
◦ While LRQs may be sent by endpoints, they are almost exclusively sent by Gatekeepers.

• Bandwidth Request - BRQ

◦ Subsequent to initial call setup, the endpoint may wish to to use more or less bandwidth than previously indicated via the BRQ.
Note: While it is syntactically legal for the Gatekeeper to send a BRJ to a request asking for less bandwidth, this makes no sense and should not be done.
◦ An endpoint must send a BRQ subsequent to initial call establishment if the actual bandwidth utilized is less than initially requested.

• Disengage Request - DRQ

10 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

◦ Once a call completes, the endpoint sends a DRQ message to the Gatekeeper.
Note: The Gatekeeper may send a DRJ, but this is strongly discouraged...if an endpoint is sending a DRQ, it means the call is over and cannot be "rejected"!
◦ The DRQ is an opportunity for the endpoint to report information useful for billing.
◦ The Gatekeeper may also send a DRQ to force the endpoint to disconnect the call.

• Information Request - IRQ

◦ The IRQ is sent by the Gatekeeper to the endpoint to request information about one or all calls.
◦ There are many details about each call that are reported to the Gatekeeper in the Information Response (IRR) message.
◦ There are provisions in H.323 to allow the endpoint to provide call information periodically and unsolicited.
◦ The Gatekeeper may acknowledge or provide negative acknowledgement to an unsolicited Information Response (IRR).

• Request In Progress - RIP

◦ A RIP message may be sent by the endpoint or the Gatekeeper to acknowledge receive of a RAS message that cannot be responded to in normal processing time.

• Resource Availability Indicate - RAI

◦ The RAI message is sent by an endpoint to indicate when it has neared resource limits or is no longer near a resource limit.
◦ The Gatekeeper replies with Resource Availability Conﬁrm (RAC).

• Service Control Indication - SCI

◦ This message is sent by either the endpoint or the Gatekeeper to invoke some type of service.
◦ The responding entity replies with Service Control Response (SCR).
◦ The SCI/SCR messages are used for speciﬁc services that are and will be deﬁned for H.323, including Gatekeeper requested tones and announcements and "stimulus control" (Annex
K/H.323).

• Miscellaneous Messages

◦ "Unknown Message Response" is sent to an unrecognized message.

◦ "Non-Standard Message" is used to allow Gatekeepers and endpoints to exchange messages that are not standard.

RAS Timers and Retries:

RAS message Time-out value (sec) Retry count

Gatekeeper Request (GRQ) 5 2

Gatekeeper Registration (RRQ) 3 2

Admission Request (ARQ) 5 2

Location Request (LRQ) 5 2

Bandwidth Request (BRQ) 3 2

Disengage Request (DRQ) 3 2

Information Request (IRQ) 3 1

Information Response (IRR) 5 2

Resource Availability Indicate (RAI) 3 2

Service Control Indication (SCI) 3 2

Unregistration Request (URQ) 3 1

(1-3-G) H.323 Typical Stack

11 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

(1-3-H) H.323 Supported Protocols

The relation between supported H.323 protocols:

# H.323 H.225 H.245

1 v2 v2 v3

2 v3 v3 v5

3 v4 v4 v7

4 v5 v5 v9

5 v6 v6 v13

6 v7 v7 v15

Examples:

• If you support both v6 of H.225 and v13 of H.245, then you support v6 of H.323
• If you support v7 of H.323, then you support both v7 of H.225 and v15 of H.245

(1-3-I) H.323 Example

An H.323 call has four different processes:

1. SETUP

• Terminal 1 register itself with the gatekeeper using the RAS protocol (register, admission, status) sending an ARQ message and
receiving an ACF message.
• Using H.225 protocol (used for setup and release of the call) terminal T1 sends a SETUP message to T2 requesting a
connection. This message contains the IP address, port and alias of the calling user or the IP address and port of the called
user.
• T2 sends a CALL PROCEEDING message warning on the attempt to establish a call.
• Now, T2 terminal must register itself in the gatekeeper as T1 previously did.
• Alerting message indicates the beginning of tone generation phase.
• And ﬁnally, CONNECT message shows the beginning of the connection.

2. CONTROL SIGNALLING

In this phase a negotiation using H.245 protocol is opened (conference control), the interchange of the messages (request and
answer) between both terminals establishes who will be the primary and who the subordinate, the capacities of the participants and
the audio and video codecs to be used. When the negotiation ﬁnishes the communication channel is opened (IP addresses, port).

The main H.245 messages used in this step are:

• TerminalCapabilitySet (TCS). Message capabilities supported by the terminals that take part in a call.
• OpenLogicalChannel (OLC). Message to open the logical channel which contains information to allow the reception and
codiﬁcation of the data. It contains information of the data type that will be sent.

3. AUDIO

Terminals start the communication using the RTP / RTCP protocol.

4. CALL RELEASE

• The calling or the called terminal can initiate the ending process using the CloseLogicalChannel and
EndSessionComand messages to ﬁnish the call using again H.245.
• Then using H.225 the connection is closed with the RELEASE COMPLETE message.
• And ﬁnally the registration of the terminals in the gatekeeper are cleared using RAS protocol.

(1-4) MGCP

(1-4-A) MGCP Description

Media Gateway Control Protocol (MGCP) is a protocol for controlling telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers).

MGCP is a primary/subordinate protocol, which means it assumes limited intelligence at the edge (endpoints) and intelligence at the core (Call Agent). In this it differs from SIP and H.323, which are
peer-to-peer protocols.

An MGCP packet is either a command or a response. Every issued MGCP command has a transaction ID and receives a response. Commands begin with a four-letter verb (there are 9 command verbs -
AUEP, AUCX, CRCX, DLCX, EPCF, MDCX, NTFY, RQNT, RSIP). Responses begin with a three number response code.

MGCP packets are usually wrapped in UDP port 2427.

(1-4-B) MGCP Characteristics

Characteristics:

• A primary/subordinate protocol

12 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

• Assumes limited intelligence at the edge (endpoints) and intelligence at the core (call agent)
• Used between call agents and media gateways
• Differs from SIP and H.323, which are peer-to-peer protocols
• Interoperates with SIP and H.323

(1-4-C) MGCP Components

• Call Agent or Media Gateway Controller (MGC)

◦ Provides call signaling, control and processing intelligence to the gateway
◦ Sends and receives commands to/from the gateway

• Gateway
◦ Provides translations between circuit-switched networks and packet-switched networks
◦ Sends notiﬁcation to the Call Agent about endpoint events
◦ Executes commands from the Call Agents

(1-4-D) MGCP and SIP / H.323

• MGCP divides call setup/control and media establishment functions.

• MGCP does not replace SIP or H.323. SIP and H.323 provide symmetrical or peer-to-peer call setup/control.
• MGCP interoperates with H.323 and SIP. For example:
◦ A call agent accepts SIP or H.323 call setup requests
◦ The call agent uses MGCP to control the media gateway
◦ The media gateway establishes media sessions with other H.323 or SIP endpoints

(1-4-E) MGCP Example

Simpliﬁed Call Flow:

1. When Phone A goes off hook, Gateway A sends a signal to the Call Agent.

2. Gateway A generates dial tone and collects the dialed digits.

3. The digits are forwarded to the Call Agent.

4. The Call Agent determines how to route the call.

5. The Call Agent sends commands to Gateway B.

6. Gateway B rings Phone B.

7. The Call Agent sends commands to both gateways to establish RTP/RTCP sessions.

(1-5) SCCP (Skinny)

(1-5-A) SCCP (Skinny) Description

Skinny Client Control Protocol (SCCP) has a centralized call-control architecture. The Call Manager manages SCCP clients (VoIP endpoints), which can be IP Phones or Cisco ATA analog phone adapters.

A SCCP client uses TCP/IP port 2000 to communicate with one or more Call Manager applications in a cluster. It uses the Real-time Transport Protocol (RTP) over UDP-transport for the bearer trafﬁc
(real-time audio stream) with other Skinny clients, or an H.323 terminal.

SCCP is a stimulus-based protocol and is designed as a communications protocol for hardware endpoints and other embedded systems, with signiﬁcant CPU and memory constraints.

(1-6) Windows Messenger

(1-6-A) Windows Messenger Description

Windows Messenger can work in two modes. Either using the SIP protocol, or using the native MSNMS protocol.

13 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

(2) Check Point Speciﬁcations

Protocols Details

• Session Initiation Protocol (SIP)

• H.323
Signaling protocols
• Media Gateway Control Protocol (MGCP)
• Skinny Client Control Protocol (SCCP)

• Real-time Transport Protocol (RTP)

Media protocols
• Real Time Control Protocol (RTCP)

• RFC 3261 - Latest SIP RFC

• RFC 3372 - SIP-T
• RFC 3311 - UPDATE message
• RFC 2976 - INFO message
Session Initiation Protocol (SIP) • RFC 3515 - REFER message
• RFC 3265 - SIP Events
• RFC 3266 - IPv6 in SDP
• RFC 3262 - Reliability of Provisional responses
• RFC 3428 - MESSAGE message, MSN messenger over SIP, SIP over TCP, SIP over UDP, SIP early media

• H.323 v.2, v.3, v.4

H.323 • H.225 v.2, v.3, v.4
• H.245 v.3, v.5, v.7

• RFC 3435 - MGCP v1.0

Media Gateway Control Protocol (MGCP)
• J.171 - Trunking Gateway Control Protocol (TGCP)

Skinny Client Control Protocol (SCCP) • Supported

(3) Check Point Deﬁnitions

Term Deﬁnition

SIP normally works on UDP port 5060 regardless to the state of the call. This causes several calls to use the same signaling connection. In order to distinguish
between signaling connections of different transactions, Security Gateway translates the source port to "10000 and above/UDP". This translation is called
"Early NAT". This translation is needed to distinguish between connections of different transactions for internal needs, such as closing the relevant
connections when a call is terminated, without closing connections of other calls.

Early NAT is part of Check Point's SIP support. It translates the source port according to SIP protocol information. It is a stateful SIP-oriented translation of the
source port of SIP traffic that is used in order deal with IP phones that change their source port on every packet. This internal port translation allows to
increase the Security Gateway's performance and save memory resources. It is also used to manage the call's state reaching strong protocol enforcement and
to gain strong NAT capabilities allowing incoming calls to an IP phone network hidden behind a single IP address.
Early NAT
Early NAT is performed even when no NAT is configured for VoIP traffic.

This is ports-only translation, which is usually done on the source port of the packet.

In Bi-directional SIP conﬁguration, the Early NAT is performed on the destination port of the packet.

Early NAT is performed only for SIP over UDP.

The packet should leave the Security Gateway (Post-Outbound 'O') with the same port it was intercepted (Pre-Inbound 'i').

Security Gateway translates the SIP port from "10000 and above/UDP" back to "5060". This translation is called "Late NAT".

Late NAT is performed even when no NAT is conﬁgured for VoIP trafﬁc.

This is ports-only translation, which is usually done on the source port of the packet.
Late NAT
In Bi-directional SIP conﬁguration, the Late NAT is performed on the destination port of the packet.

Late NAT is performed only for SIP over UDP.

The packet should leave the Security Gateway (Post-Outbound 'O') with the same port it was intercepted (Pre-Inbound 'i').

Check Point technology that sends streams of data to be inspected in Check Point kernel, since more than a single packet at a time is needed in order to
understand the application that is running (such as HTTP data). This technology works as a transparent proxy (FireWall maintains two separate conversations:
Check Point Active Streaming (CPAS) 1) with a Client, "pretending" to be a Server, 2) with a Server, "pretending" to be a Client).
Connections that pass through Active Streaming can not be accelerated by SecureXL.
Active Streaming is 'Read' and 'Write'.

Check Point technology that sends streams of data to be inspected in Check Point kernel, since more than a single packet at a time is needed in order to
understand the application that is running (such as HTTP data).
Check Point Passive Streaming
Connections that pass through Passive Streaming are accelerated by SecureXL.
Passive Streaming is 'Read' only and it cannot hold packets.

Check Point technology that assembles the streams and passes ordered data to the protocol parsers, which parse the trafﬁc to ﬁnd contexts and protocol
Passive Streaming Library / Layer (PSL)
compliance anomalies. When context is found, then the Content Management Infrastructure (CMI) is called to coordinate IPS protections relevant for each

14 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

context.

(4) Relevant ports

(4-1) SIP

UDP 5060 SIP clients typically use TCP or UDP on port numbers 5060 and/or 5061 to connect to SIP servers and other SIP endpoints.
TCP 5060 Port 5060 is commonly used for non-encrypted signaling trafﬁc.
TCP 5061 Port 5061 is typically used for trafﬁc encrypted with Transport Layer Security (TLS).

(4-2) H.323

UDP 1718 multicast

Gatekeeper Discovery.
(Gatekeeper)

UDP 1719 unicast

H.225 RAS - between terminals and gatekeepers. Gatekeeper RAS (Registration, Admission and Status).
(Gatekeeper)

• H.225 - between terminals (Q.931). Call signaling and setup.

TCP 1720 (Client)
• H.245 - between terminals. Exchanging terminal capabilities and creation of media channels. May be tunneled inside H.225 call signaling channel.

TCP 1731 (Client) Audio Call Control.

(4-3) H.245 Call Parameters

TCP 1502
T.120 (optional).
TCP 1503

TCP 389 ILS (Internet Locator Service) Registration (LDAP) (optional).

TCP 80 HTTP Interface (optional).

TCP 8080 HTTP Server Push (optional).

(4-4) MGCP

UDP 2427 MGCP packets are usually wrapped in UDP port 2427.

(4-5) SCCP (Skinny)

TCP 2000 SCCP client uses this port to communicate with one or more Call Manager applications.

(4-6) Windows Messenger

UDP 5060
IM and presence information are carried over Session Initiation Protocol (SIP) signaling. The SIP signaling can be carried over Transmission Control Protocol (TCP) in clear
TCP 5060
text. Or, the SIP signaling can be encrypted in a Transport Layer Security (TLS) session.
TCP 5061

TCP 1503 The Whiteboard and Application Sharing components of Windows Messenger use the T.120 protocol.

Speciﬁes the lowest port that is used for Audio and Video signaling (min 1024, max 65535). Audio uses a pair of User Datagram Protocol (UDP) ports for a Real-time Protocol
UDP 5350
(RTP) stream to transmit data. Video uses Real-time Transport Protocol (RTCP) to control the session stream.

Speciﬁes the highest port that is used for Audio and Video signaling (min 1024, max 65535). Audio uses a pair of User Datagram Protocol (UDP) ports for a Real-time Protocol
UDP 5353
(RTP) stream to transmit data. Video uses Real-time Transport Protocol (RTCP) to control the session stream.

(5) Supported VoIP Deployments

Note: Refer to the Relevant Check Point Security rules section and to the Relevant Check Point NAT rules section.

(5-1) SIP Deployment

Note: Refer to the Relevant Check Point Security rules - SIP section and to the Relevant Check Point NAT rules - SIP section.

Supported SIP
Description Diagram
Topology

SIP Endpoint-
The IP Phones communicate
to-Endpoint
directly, without a SIP Proxy.
Topology

The IP Phones use the services

of a Proxy on the external side
SIP Proxy in of the Security Gateway.
External This topology enables using the
Network services of a SIP Proxy that is
maintained by another
organization.

15 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SIP Proxy to SIP Each Proxy controls a separate

Proxy endpoint domain.

The same Proxy controls both

endpoint domains.
SIP Proxy in
This topology makes it possible
DMZ
to provide Proxy services to
other organizations.

(5-2) H.323 Deployment

Note: Refer to the Relevant Check Point Security rules - H.323 section and to the Relevant Check Point NAT rules - H.323 section.

Supported
Description Diagram
H.323 Topology

The IP Phones communicate

H.323 Endpoint
directly, without a Gatekeeper
to Endpoint
or an H.323 Gateway.

The IP Phones use the services

of a Gatekeeper or H.323
Gateway on the external side of
Gatekeeper or
the Security Gateway.
H.323 Gateway
This topology enables using the
in External
services of a Gatekeeper or an
Network
H.323 Gateway that is
maintained by another
organization.

H.323
Gatekeeper/ Each Gatekeeper or H.323
Gateway to Gateway controls a separate
Gatekeeper/ endpoint domain.
Gateway

16 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

The same Gatekeeper or H.323

Gateway controls both endpoint
Gatekeeper or domains.
H.323 Gateway This topology makes it possible
in the DMZ to provide Gatekeeper or H.323
Gateway services to other
organizations.

(5-3) MGCP Deployment

Note: Refer to the Relevant Check Point Security rules - MGCP section and to the Relevant Check Point NAT rules - MGCP section.

Supported
Description Diagram
MGCP Topology

The IP Phones use the services

of a Call Agent on the external
Call Agent in side of the Security Gateway.
External This topology enables using the
network services of a Call Agent that is
maintained by another
organization.

The same Call Agent controls

both endpoint domains.
Call Agent in
This topology makes it possible
DMZ
to provide Call Agent services to
other organizations.

Each Call Agent controls a

separate endpoint domain.
Where there is one or more Call
Call Agent to Agents, the signaling passes
Call Agent through each Call Agent.
Once the call has been set up,
the media can pass from
endpoint to endpoint.

(5-4) SCCP (Skinny) Deployment

Note: Refer to the Relevant Check Point Security rules - SCCP (Skinny) section and to the Relevant Check Point NAT rules - SCCP (Skinny) section.

Supported
Description Diagram
SCCP Topology

Call Manager in The IP Phones use the services

Internal of a Call Manager in an internal
network network.

17 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

The IP Phones use the services

of a Call Manager on the
external side of the Security
Call Manager in
Gateway.
External
This topology enables using the
network
services of a Call Manager that
is maintained by another
organization.

The same Call Manager

controls both endpoint domains.
Call Manager in
This topology makes it possible
DMZ
to provide Call Manager
services to other organizations.

(6) Relevant Check Point services

The following predeﬁned services are available for use in Security and NAT rules. They can be used to limit the protocols that are permitted during each stage of the call. Separate rules can be deﬁned
for the different protocols.

(6-1) SIP

Service Port Protocol Type Explanation

Used for SIP over UDP. This service is used to enforce signal routing. Use a VoIP Domain in the source or destination of the
rule, together with this service. When this service is used, registration message are tracked and a database is maintained
that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, Security
sip UDP 5060 SIP_UDP
Gateway veriﬁes that the user exists in the SIP registration database. This can prevent DoS attacks.

Do not use this service in the same rule with the ' sip_any' service (because they contradict each other).

sip-tcp TCP 5060 SIP_TCP_PROTO Used for SIP over TCP.

sip-tcp-ipv6 TCP 5060 not set Used for SIP over TCP IPv6.

Only for Security Gateways R75.40 and lower .

Used for SIP over UDP. This service is used if not enforcing signal routing. In that case, do not place a VoIP Domain in the
source or destination of the rule. Instead, use 'Any' or a network object, together with the 'sip_any' service.
sip_any UDP 5060 SIP_UDP_ANY
Note: If a VoIP Domain is used with this service, the packet is dropped.

Do not use this service in the same rule with the ' sip' service (because they contradict each other).

Only for Security Gateways R75.40 and lower .

Used for SIP over TCP. This service is used if not enforcing signal routing. In that case, do not place a VoIP Domain in the
source or destination of the rule. Instead, use 'Any' or a network object, together with the 'sip_any-tcp' service.
sip_any-tcp TCP 5060 SIP_ANY_TCP_PROTO
Note: If a VoIP Domain is used with this service, the packet is dropped.

Do not use this service in the same rule with the ' sip-tcp' service (because they contradict each other).

Only for Security Gateways R75.40 and lower with IPv6 Support .
Used for SIP over TCP IPv6. This service is used if not enforcing signal routing. In that case, do not place a VoIP Domain in the
source or destination of the rule. Instead, use 'Any' or a network object, together with the 'sip_any-tcp-ipv6' service.
sip_any-tcp-ipv6 TCP 5060 not set
Note: If a VoIP Domain is used with this service, the packet is dropped.

Do not use this service in the same rule with the ' sip-tcp-ipv6' service (because they contradict each other).

Supported only in R65.2.100 version .

sip_tls TCP 5061 SIP_TCP_PROTO
SIP over encrypted Transport Layer Security (TLS).

SIP over non-encrypted Transport Layer Security (that is, authenticated only).
sip_tls_authentication TCP 5061 SIP_TCP_PROTO
NAT is not supported for connections of this type.

Insecure way of allowing SIP over Transport Layer Security (TLS) to pass without inspection.
sip_tls_not_inspected TCP 5061 None
Requires opening of media ports manually .

sip_dynamic_ports not set not set This service allows SIP connection to be opened on a dynamic port and not on the SIP well-known port.

(6-2) H.323

Service Port Protocol Type Explanation

This service allows a Q.931 to be opened, followed by a H.245 port, which in turn opens ports for RTP/RTCP.

H323 TCP 1720 H.323

Do not use this service in the same rule with the ' H323_any' service (refer to sk20371).
In general, use the 'H.323' service and the 'H.323_ras' service in security rules.

Only for Security Gateways R76 and lower .

This service is like the 'H.323' service, but also allows the Source and Destination in the rule to be ANY rather than a
network object. Only use 'H.323_any' service if you do not know the location of the endpoints and are not enforcing signal
H323_any TCP 1720 H.323_ANY
routing using a VoIP Domain.

Do not use this service in the same rule with the ' H323' service (refer to sk20371).

18 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

This service allows a RAS port to be opened, followed by a Q.931 port. Q.931 then opens a H.245 port, which in turn opens
ports for RTP/RTCP.
H323_ras UDP 1719 H.323_RAS
Do not use this service in the same rule with the ' H.323_ras_only' service.
In general, use the 'H.323' service and the 'H.323_ras' service in security rules.

This service allows only RAS. Use for call registration only. Cannot be used to make calls. If this service is used, no IPS
Application Intelligence checks are made.
H323_ras_only UDP 1719 not set

Do not use this service in the same rule with the ' H.323_ras' service .

(6-3) MGCP

Service Port Protocol Type Explanation

mgcp_CA UDP 2727 MGCP_UDP Call Agent (Media Gateway Controller) port.

mgcp_MG UDP 2427 MGCP_UDP Media Gateway port.

Allows MGCP connection to be opened on a dynamic port and not on the MGCP well-known ports.
MGCP_dynamic_ports not set not set
Refer to sk32474.

(6-4) SCCP

Service Port Protocol Type Explanation

SCCP TCP 2000 SCCP_TCP SCCP over TCP.

Secure SCCP - encrypted SCCP over TCP (TLS).

Secure_SCCP TCP 2443 Secure_SCCP_Proto
Note: Supported only on Security Gateways / Security Management Servers running R75.40VS / R76 / R77 and above.

Secure SCCP - media to or from Secure SCCP phones on IP Protocol 17, ports above 1024.
high_udp_for_secure_SCCP - -
Note: Supported only on Security Gateways / Security Management Servers running R75.40VS / R76 / R77 and above.

(6-5) MSNMS (Windows Messenger)

Service Port Protocol Type Explanation

MSNMS TCP 1863 MSNMS_PROTOCOL Native MSNMS.

(6-6) UDP

Service Port Protocol Type Explanation

udp-high-ports UDP > 1023 not set UDP ports 1024-65535.

(7) Relevant Check Point security rules

Note: Refer to the Supported VoIP Deployments section and to the Relevant Check Point NAT rules section.

To allow VoIP calls, you must create rules that let VoIP control signals pass through the Security Gateway. It is not necessary to deﬁne a media rule that speciﬁes which ports to open and which endpoints
can talk. The Security Gateway derives this information from the signaling. For a given VoIP signaling rule, the Security Gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media
stream.

Important Note: Before configuring security rules for VoIP, makes sure that Anti-Spoofing is configured on the Security Gateway interfaces.

(7-1) SIP Security Rules

Note: Refer to the Supported VoIP Deployments - SIP section and to the Relevant Check Point NAT rules - SIP section.

Important guidelines:

• SIP entities on which NAT is configured must reside behind the gateway's internal interfaces.
• Do not define special Network objects to allow SIP signaling. Use regular Network objects. The Security Gateway dynamically opens ports for data connections (RTP/RTCP and other). Security
Gateway supports up to four different media channels per SIP SDP message.
• Security rules can be defined that allow bidirectional calls, or only incoming or outgoing calls.

(7-1-A) SIP Security Rule for Peer-to-Peer No-Proxy Topology:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A SIP over UDP.

sip Accept Gateway
Net_B Net_B Bidirectional calls

19 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

sip-tcp
or
Net_A Net_A SIP over TCP.
sip_tls_authentication Accept Gateway
Net_B Net_B Bidirectional calls
or
sip_tls_not_inspected

1. Deﬁne the network objects (Nodes or Networks) for IP Phones.

In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Conﬁgure the VoIP security rules.

3. Deﬁne Hide NAT (or Static NAT) for the phones in the internal network, edit the network object for 'Net_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method ('Hide' or 'Static').

4. Install the security policy.

(7-1-B) SIP Security Rule for Proxy in an External Network:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A SIP over UDP.

sip Accept Gateway
SIP_Proxy SIP_Proxy Bidirectional calls

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

sip-tcp
or
Net_A Net_A SIP over TCP.
sip_tls_authentication Accept Gateway
SIP_Proxy SIP_Proxy Bidirectional calls
or
sip_tls_not_inspected

1. Deﬁne the network objects (Nodes or Networks) for IP Phones that are:
◦ Managed by the SIP Proxy or Registrar.
◦ Permitted to make calls, and those calls inspected by the Security Gateway.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network object for the SIP Proxy or Registrar.

In the above figure, this is 'SIP_Proxy'.
◦ If the Proxy and Registrar are on a server that has one IP address, then define only one object.
◦ If the Proxy and server are on the same server, but have different IP addresses, define an object for each IP address.

3. Conﬁgure the VoIP security rules.

4. Deﬁne Hide NAT (or Static NAT) for the phones in the internal network, edit the network object for 'Net_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method ('Hide' or 'Static').

5. Install the security policy.

(7-1-C) SIP Security Rule for Proxy-to-Proxy Topology:

20 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Proxy_A Proxy_A SIP over UDP.

sip Accept Gateway
Proxy_B Proxy_B Bidirectional calls

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

sip-tcp
or
Proxy_A Proxy_A SIP over TCP.
sip_tls_authentication Accept Gateway
Proxy_B Proxy_B Bidirectional calls
or
sip_tls_not_inspected

1. Deﬁne the network objects (Nodes or Networks) for IP Phones.

In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network object for the SIP Proxies

In the above figure, these are 'Proxy_A' and 'Proxy_B'.
◦ If the Proxy and Registrar are on a server that has one IP address, then define only one object.
◦ If the Proxy and server are on the same server, but have different IP addresses, define an object for each IP address.

3. Conﬁgure the VoIP security rules.

4. Deﬁne Hide NAT (or Static NAT) for the phones in the internal network - edit the network object for 'Net_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method ('Hide' or 'Static').

5. Deﬁne Static NAT or the Proxy in the internal network - edit the network object for 'Proxy_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method 'Static'.

6. Install the security policy.

(7-1-D) SIP Security Rule for Proxy in DMZ Topology:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A
SIP over UDP.
Net_B Net_B sip Accept Gateway
Bidirectional calls
Proxy_DMZ Proxy_DMZ

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

sip-tcp
Net_A Net_A or
SIP over TCP.
Net_B Net_B sip_tls_authentication Accept Gateway
Bidirectional calls
Proxy_DMZ Proxy_DMZ or
sip_tls_not_inspected

1. Deﬁne the network objects (Nodes or Networks) for IP Phones.

In the above ﬁgure, these are 'Net_A' and 'Net_B'.

21 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

2. Deﬁne the network object for the SIP Proxy.

In the above ﬁgure, this is 'Proxy_DMZ'.

3. Conﬁgure the VoIP security rules.

6. Install the security policy.

(7-2) H.323 Security Rules

Note: Refer to the Supported VoIP Deployments - H.323 section and to the Relevant Check Point NAT rules - H.323 section.

Important guidelines:

• To allow H.323 traffic, create rules that allow the H.323 control signals through the Security Gateway.
• It is not necessary to define a rule that specifies which ports to open and which endpoints can talk. The Security Gateway derives this information from the signaling. For a given H.323 signaling
rule (with RAS and/or H.323 services), the Security Gateway automatically opens ports for the H.245 connections and RTP/RTCP media stream connections.
• Dynamic ports will be opened only if the port is not used by a different service. For example: if the 'Connect' message identifies port 80 as the H.245 port, the port will not be opened. This prevents
well-known ports from being used illegally.
• To allow H.323 traffic in the Security Rule Base, use regular Network objects. It is not necessary to define special Network objects.

(7-2-A) H.323 Security Rule for Endpoint to Endpoint:

Important Note: No incoming calls can be made when Hide NAT is conﬁgured for the internal phones.

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A
H323 Accept Gateway
Net_B Net_B

1. Deﬁne the network objects (Nodes or Networks) for IP Phones.

In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Conﬁgure the VoIP security rules.

4. Install the security policy.

(7-2-B) H.323 Security Rule for Gatekeeper-to-Gatekeeper Topology:

22 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

H323
GK_A GK_A
and Accept Gateway Bidirectional calls
GK_B GK_B
H323_ras

1. Deﬁne the network objects (Nodes or Networks) for

◦ Phones that use the Gatekeeper for registration.
◦ Allowed to make calls and their calls tracked by the Security Gateway.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network objects for the Gatekeepers.

In the above ﬁgure, these are 'GK_A' and 'GK_B'.

3. Conﬁgure the VoIP security rules.

5. Deﬁne Static NAT for the Gatekeeper (or Gateway) in the internal network, edit the network object for 'GK_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method 'Static'.

6. Set the Session Timeout of the 'H323_ras' service equal to, or greater than the Gatekeeper's registration time-out.
Right-click on the 'H323_ras' service - 'Edit...' - click on 'Advanced...' button - in 'Session Timeout' section, click on 'Other' - set the desired value - click on 'OK' to apply the changes.

7. Install the security policy.

(7-2-C) H.323 Security Rule for Gateway-to-Gateway Topology:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

GW_A GW_A
H323 Accept Gateway Bidirectional calls
GW_B GW_B

1. Deﬁne the network objects (Nodes or Networks) for IP Phones.

In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network objects for the Gateways.

In the above ﬁgure, these are 'GW_A' and 'GW_B'.

3. Conﬁgure the VoIP security rules.

23 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

5. Deﬁne Static NAT for the Gatekeeper/Gateway in the internal network, edit the network object for 'GW_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method 'Static'.

6. Install the security policy.

(7-2-D) H.323 Security Rule for Gatekeeper in the External Network:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A H323
Net_A
Net_B and Accept Gateway Bidirectional calls
GK_B
GK_B H323_ras

1. Deﬁne the network objects (Nodes or Networks) for the phones that
◦ Use the Gatekeeper for registration
◦ Are allowed to make calls and their calls tracked by the Security Gateway
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network objects for the Gatekeeper.

In the above ﬁgure, this is 'GK_B'.

3. Conﬁgure the VoIP security rules.

7. Install the security policy.

(7-2-E) H.323 Security Rule for Gateway in the External Network:

24 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A
Net_A
Net_B H323 Accept Gateway Bidirectional calls
GW_B
GW_B

2. Deﬁne the network objects for the Gateway.

In the above ﬁgure, this is 'GW_B'.

3. Conﬁgure the VoIP security rules.

5. Install the security policy.

(7-2-F) H.323 Security Rule for Gatekeeper in DMZ

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A H323

Net_B Net_B and Accept Gateway Bidirectional calls
GK_DMZ GK_DMZ H323_ras

In addition, the following Static NAT rules should be conﬁgured for the Gatekeeper in the DMZ:

ORIGINAL PACKET TRANSLATED PACKET

COMMENT
SOURCE DESTINATION SERVICE SOURCE DESTINATION SERVICE

GK_DMZ
GK_DMZ Net_B Any = Original = Original Outgoing calls
(Static)

GK_DMZ
Net_B GK_DMZ_NATed Any = Original = Original Incoming calls
(Static)

1. Deﬁne the network objects (Nodes or Networks) for

◦ Phones that use the Gatekeeper for registration.
◦ Allowed to make calls and their calls tracked by the Security Gateway.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network objects for the Gatekeeper.

In the above ﬁgure, this is 'GK_DMZ'.

3. Create the network object for the Static NATed IP address of the Gatekeeper.

25 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

In the above example, this is GK_DMZ_NATed).

4. Conﬁgure the VoIP security rules.

5. Deﬁne Hide NAT (or Static NAT) for the phones in the internal network, edit the network object for 'Net_A':
A. On the 'NAT' tab, check the box 'Add Automatic Address Translation Rules'.
B. Select the Translation method ('Hide' or 'Static').

6. Deﬁne manual Static NAT rules for the Gatekeeper in the DMZ.
A. Go to the 'NAT' pane.
B. Create the NAT rules as shown above.

7. Conﬁgure Proxy ARP per sk30197.

You must associate the NATed IP address of the Gatekeeper with the MAC address of the Security Gateway's interface that is on the same network as the NATed IP address.

8. Set the Session Timeout of the 'H323_ras' service equal to, or greater than the Gatekeeper's registration time-out.
Right-click on the 'H323_ras' service - 'Edit...' - click on 'Advanced...' button - in 'Session Timeout' section, click on 'Other' - set the desired value - click on 'OK' to apply the changes.

9. Install the security policy.

(7-2-G) H.323 Security Rule for Gateway in DMZ

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A
Net_B Net_B H323 Accept Gateway Bidirectional calls
GW_DMZ GW_DMZ

In addition, the following Static NAT rules should be conﬁgured for the Security Gateway in the DMZ:

ORIGINAL PACKET TRANSLATED PACKET

COMMENT
SOURCE DESTINATION SERVICE SOURCE DESTINATION SERVICE

GW_DMZ
GW_DMZ Net_B Any = Original = Original Outgoing calls
(Static)

GW_DMZ
Net_B GW_DMZ_NATed Any = Original = Original Incoming calls
(Static)

1. Deﬁne the network objects (Nodes or Networks) for

◦ Phones that use the Gatekeeper for registration.
◦ Allowed to make calls and their calls tracked by the Security Gateway.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network objects for the Security Gateway.

In the above ﬁgure, this is 'GW_DMZ'.

3. Create the network object for the Static NATed IP address of the Gatekeeper.
In the above example, this is GW_DMZ_NATed).

4. Conﬁgure the VoIP security rules.

6. Deﬁne manual Static NAT rules for the Security Gateway in the DMZ.
A. Go to the 'NAT' pane.
B. Create the NAT rules as shown above.

7. Conﬁgure Proxy ARP per sk30197.

26 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

You must associate the NATed IP address of the Gatekeeper with the MAC address of the Security Gateway's interface that is on the same network as the NATed IP address.

8. Install the security policy.

(7-3) MGCP Security Rules

Note: Refer to the Supported VoIP Deployments - MGCP section and to the Relevant Check Point NAT rules - MGCP section.

(7-3-A) MGCP Security Rule for a Call Agent in the External Network:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

mgcp_CA
or
Net_A Net_A
mgcp_MG Accept Gateway
MGCP_Call_Agent MGCP_Call_Agent
or
mgcp_dynamic_ports

1. Deﬁne the network objects (Nodes or Networks) for IP Phones managed by the MGCP Call Agent.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network object for the Call Agent.

In the above ﬁgure, this is 'MGCP_Call_Agent'.

3. Conﬁgure the VoIP security rules.

5. Install the security policy.

(7-3-B) MGCP Security Rule for a Call Agent in the DMZ:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A mgcp_CA

Net_B Net_B or Accept Gateway Bidirectional calls
MGCP_Call_Agent MGCP_Call_Agent mgcp_MG

1. Deﬁne the network objects (Nodes or Networks) for IP Phones managed by the MGCP Call Agent.
In the above ﬁgure, these are 'Net_A' and 'Net_B'.

2. Deﬁne the network object for the Call Agent.

In the above ﬁgure, this is 'MGCP_Call_Agent'.

3. Conﬁgure the VoIP security rules.

4. Install the security policy.

(7-3-C) MGCP Security Rule for a Call Agent to Call Agent:

27 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

mgcp_CA
Call_Agent_Int Call_Agent_Int
or Accept Gateway Bidirectional calls
Call_Agent_Ext Call_Agent_Ext
mgcp_MG

1. Deﬁne the network objects for for the Proxy objects.

In the above ﬁgure, these are 'Call_Agent_Int' and 'Call_Agent_Ext'.

2. Conﬁgure the VoIP security rules.

3. Install the security policy.

(7-4) SCCP Security Rules

Note: Refer to the Supported VoIP Deployments - SCCP (Skinny) section and to the Relevant Check Point NAT rules - SCCP (Skinny) section.

(7-4-A) SCCP Security Rule for SCCP over TCP:

SOURCE DESTINATION SERVICE ACTION INSTALL ON COMMENT

Net_A Net_A
Incoming and
Net_B Net_B SCCP Accept Gateway
Outgoing calls
Call_Manager Call_Manager

(7-4-B) SCCP Security Rule for Secure SCCP - encrypted SCCP over TCP (TLS):

Note: Supported only on Security Gateways / Security Management Servers running R75.40VS / R76 / R77 and above.

1. Deﬁne Network objects (Nodes or Networks) for SCCP endpoints (Cisco ATA devices or IP Phones) controlled by the Call Managers.

2. Deﬁne a Host object that represents the Call Manager.

3. Deﬁne the SCCP VoIP security rules.

4. Deﬁne other security rules for SCCP and the other VoIP protocols (SCCP interoperates with other VoIP protocols).

This rule lets all phones in 'Net_A' and 'Net_B' make calls to each other:
• 'Net_A' is the internal IP phone network
• 'Net_B' is the external IP phone network
• The Call Manager (Call_Manager) can be in:
◦ The internal or external network.
◦ A DMZ connected to a different interface of the gateway.

5. To secure encrypted SCCP over TCP connections:

A. Create an identical security rule.

B. In the 'Service' column, add only the following service:

• For encrypted SCCP over TCP (TLS): Secure_SCCP
• For media to or from Secure SCCP phones: high_udp_for_secure_SCCP

6. Install the security policy.

(8) Relevant Check Point NAT rules

Note: Refer to the Supported VoIP Deployments section and to the Relevant Check Point Security rules section.

(8-1) SIP NAT Rules

Note: Refer to the Supported VoIP Deployments - SIP section and to the Relevant Check Point Security rules - SIP section.

Important guidelines:

• When using Hide NAT for SIP over UDP, you must include the hiding IP address in the destination of the SIP rule.
• When using Hide NAT for SIP over TCP, you must include the hiding IP address in the destination of the SIP rule.

28 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Doing this allows the initiation of TCP handshake from the external network to the hiding IP address.
• NAT is performed for all connection in the call - SIP and RTP/RTCP packets.
• NAT is performed on the IP headers and payload (SIP and SDP).
• Throughout a call, a combination of speciﬁc [IP address + port] should be translated in the same way each time they are detected.
• For NAT on SIP entities, it is strongly recommended that you enable the IPS protection Strict SIP Protocol Flow Enforcement .

(8-2) H.323 NAT Rules

Note: Refer to the Supported VoIP Deployments - H.323 section and to the Relevant Check Point Security rules - H.323 section.

Important guidelines:

• NAT ('Hide' or 'Static') can be conﬁgured for the phones in the internal network, and (where applicable) for the Gatekeeper.
• NAT is not supported on IP addresses behind an external Security Gateway interface.
• Manual NAT rules are supported only in environments where the Gatekeeper is in the DMZ.
• When using Hide NAT for H.323 trafﬁc, include the hiding IP address in the 'Destination' column of the H.323 NAT rule. This allows the initiation of a TCP handshake from the external network
to the hiding IP address.

NAT for
NAT for
Supported Internal
No NAT Gatekeeper Notes
H.323 Topology Phones
(Static)
(Hide/Static)

H.323 Endpoint The IP Phones communicate directly, without a Gatekeeper or an H.323 Gateway.
Yes Static NAT only Not applicable
to Endpoint Static NAT can be conﬁgured for the phones on the internal side of the Security Gateway.

Gatekeeper or
The IP Phones use the services of a Gatekeeper or H.323 Gateway on the external side of the Security Gateway.
H.323 Gateway
Yes Yes Not applicable This topology enables using the services of a Gatekeeper or an H.323 Gateway that is maintained by another organization.
in External
It is possible to conﬁgure Hide NAT / Static NAT / no NAT for the phones on the internal side of the Security Gateway.
Network

H.323
Gatekeeper/ Each Gatekeeper or H.323 Gateway controls a separate endpoint domain.
Gateway to Yes Yes Yes Static NAT can be conﬁgured for the internal Gatekeeper.
Gatekeeper/ For the internal phones, Hide NAT / Static NAT can be conﬁgured.
Gateway

Gatekeeper or Each Gatekeeper or H.323 Gateway controls a separate endpoint domain.

H.323 Gateway Yes Yes Yes Static NAT / no NAT can be conﬁgured for the Gatekeeper or H.323 Gateway.
in the DMZ Hide NAT / Static NAT / no NAT can be conﬁgured for the phones on the internal side of the Security Gateway.

(8-3) MGCP NAT Rules

Note: Refer to the Supported VoIP Deployments - MGCP section and to the Relevant Check Point Security rules - MGCP section.

Important guidelines:

• It is possible to conﬁgure NAT ('Hide' or 'Static') for the phones in the internal network.
• NAT is not supported on IP addresses behind an external Security Gateway interface.
• The SmartDashboard conﬁguration depends on the MGCP topology.

NAT for
Supported Internal
No NAT Notes
MGCP Topology Phones
(Hide/Static)

Call Agent in The IP Phones use the services of a Call Agent on the external side of the Security Gateway.
External Yes Yes This topology enables using the services of a Call Agent that is maintained by another organization.
network It is possible to conﬁgure Hide NAT (or Static NAT or no NAT) for the phones on the internal side of the Security Gateway.

Call Agent in The same Call Agent controls both endpoint domains.
Yes No
DMZ This topology makes it possible to provide Call Agent services to other organizations.

Each Call Agent controls a separate endpoint domain.

Call Agent to
Yes No Where there is one or more Call Agents, the signaling passes through each Call Agent. Once the call has been set up, the media can pass endpoint to
Call Agent
endpoint.

Additional Conditions for Using NAT in MGCP Networks

You can use MGCP with Network Address Translation (NAT), but:

• Manual NAT rules are not supported. Use Automatic NAT.

• Calls cannot be made from an external source to two endpoints on the trusted side of a gateway if one of the endpoints is NATed and the other is not.
• Bidirectional NAT of VoIP calls is not supported.

Important Note: Hide NAT can be used for all types of calls (incoming, outgoing, internal and external). For security reasons, when using Hide NAT for incoming calls, the Destination of the VoIP call in
the Rule Base cannot be Any.

(8-4) SCCP NAT Rules

Note: Refer to the Supported VoIP Deployments - SCCP (Skinny) section and to the Relevant Check Point Security rules - SCCP (Skinny) section.

NAT on SCCP devices is not supported.

(9) Relevant Check Point kernel tables

29 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Notes:

• All SIP kernel tables are synchronized in cluster environment.

• In order to increase the size limit of a kernel table, edit the relevant 'table.def' file on the Management Server - change the value of the 'limit' attribute (for locations of the relevant
'table.def' files, refer to sk31832 (How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own traffic behind Virtual IP address).

• For additional information about the sizes of relevant SIP kernel tables, refer to Enlarging kernel tables for concurrent SIP calls.

• Refer to Command Line Interface Reference Guide (R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77) - Chapter 'Security Management Server and Firewall Commands' - fw - fw tab.

Tables:

(9-1) SIP

Holds one entry for each registered phones (internal phones). An entry is inserted when the registration is completed (200 OK). Timeout - the value from the expires header ﬁeld
or default.
sip_registration
To view a list of the online IP phones, run this command:
[Expert@HostName]# fw tab -t sip_registration -f

Holds one entry for each SIP call (call-id + users' tags). An entry is inserted with the ﬁrst packet of the call. Each SIP call has 2-4 SIP connections. Calls entries should remain
until call is terminated. Timeout - 180 seconds, and is refreshed as long as RTP is alive (for non-Int2Int calls). Note that the entries are per Call-ID, B2BUA may set 2 entries per
call.

To view information on the current calls, run this command:

[Expert@HostName]# fw tab -t sip_state -f

sip_state
The following output appears:

• Control connection (source, destination).

• RTP connection (endpoint IP addresses).
• Call state (established, ended, registration).
• Media type (audio, video, audio/video, application).
• Number of reinvites (number of participants in a conference call).

sip_cseq Holds one entry per Transaction (SIP request + SIP response). An entry is inserted with the SIP Request. Timeout - 40 seconds, 20 for retransmissions.

sip_services Holds all the services that are deﬁned as SIP in the rulebase.

sip_dynamic_port Holds entries for SIP communication for non-5060 port. Relevant only if 'sip_dynamic_port' service is used. Timeout - the value from the expires header ﬁeld or default.

fwx_sticky_port Holds port allocation entries, only when using NAT and sticky mechanism. Used in order to translate the port consistently. Call entries should remain until call is terminated.

fwx_alloc Holds port allocation entries, only when using NAT. Same entries that are displayed in the 'fwx_sticky_port' kernel table. Call entries should remain until call is terminated.

fwx_pending Used to store pending NAT instructions.

earlynat_sport Holds 5 entries for each SIP UDP connection (1 entry and 1 link for each direction of the connection and 1 link for Bi-Directional SIP).

(9-2) H.323

h323_registration Holds one entry for each registered phones (internal phones).

fwx_sticky_port Holds port allocation entries, only when using NAT and sticky mechanism. Used in order to translate the port consistently. Call entries should remain until call is terminated.

(9-3) MGCP

mgcp_registration Holds one entry for each registered phones (internal phones).

mgcp_services Holds all the services that are deﬁned as SIP in the rulebase.

mgcp_dynamic_port Holds entries for MGCP communication for non MGCP well-known ports - only if mgcp_dynamic_port service is used.

mgcp_cmd Holds all the MGCP commands that can take place in the protocol. In MGCP SD you can add new MGCP commands, new entry supposed to be added to this table.

mgcp_conn Holds MGCP control connections (like the 'sip_state' kernel table). Has an entry for each MGCP call. Call entries should remain until call is terminated.

mgcp_tid Every command or transaction has its own TID (Transaction ID). Every new TIF is added to this kernel table. There is veriﬁcation that every request has a matched response.

(10) Check Point Security Gateway and VoIP trafﬁc

(10-1) SecureXL

• Media connections are accelerated.

• Signaling connections are not accelerated.
• NAT on IP header is accelerated.

(10-2) CoreXL

• When CoreXL is enabled, VoIP control connections are processed only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the
CPU core with highest ID (as allowed by the current CoreXL license).

Note: This is relevant for H323 and Skinny (SCCP), but not for SIP - in R80.40 and higher versions.

(10-3) ClusterXL

• Not 100% (for TCP, for example, only after call establishment).

(10-4) SIP interoperability with NAT

When NAT is conﬁgured, it is applied on all the section of the call - SIP and RTP (RTCP). NAT will be applied accordingly to the IP header and to the SIP payload. For example: on an Invite packet (going
out from the internal network), the IP address will be NATed to the external public IP address along with the SDP inside. The values will be changed to public IP addresses.

30 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Potential NAT issues (some examples):

• Phone communicates with the proxy:

The phone will initialize a registration from a random destination port to 5060 and close the connection. When the proxy redirects a new call, where should it be connected (reg or new call)? What if
the port is closed by a Security Gateway? The client on the other side sent the request to port 5060; should we translate it (and then translate is back)?

• Proxy to proxy communications:

Inter-proxy communications will be performed continually. Obviously, port 5060 will be used for any SIP communication. How will the servers react to a large number of calls that are coming from
different destination ports?

• The issue gets more and more complicated when a whole SIP network is active with phones and proxies on different sides of the Security Gateway.

Using one port presented a difﬁculty for Security Gateway:

• Hide NAT issues:

More than one connection could not be hidden behind port 5060. Further more incoming connection could not be routed correctly.

• Logging issues:
How can the FW log different calls on the same connections. Usually one connection per log but in this case every call should be logged separately.

The solution - apply internal Early NAT and internal Late NAT on the SIP connections:

Note: Refer to the Check Point Deﬁnitions section.

• Every incoming SIP connection will undergo an internal NAT mechanism in Check Point Security Gateway, in which the ports will be NATed to a high port (over 10 000) after the Pre-Inbound chain
"i" (Early NAT) and then NATed back to the original port 5060 before the Post-Outbound chain "O" (Late NAT).

• Early NAT and Late NAT are performed even when no NAT is conﬁgured.

• This is ports-only translation, which is usually performed on the Source port of the packet. In Bi-Directional SIP conﬁguration (2 RTP ports), the Early NAT / Late NAT is performed on the
Destination port of the packet.

• Performed only on SIP over UDP.

(10-5) VoIP protections and IPS

• In Management Server R77.30 and lower, VoIP protections are conﬁgured in the IPS.

• In Management Server R80 and above, VoIP protections are no longer conﬁgured in the IPS:

Note: These VoIP protections can be conﬁgured without VoIP license.

A. In SmartConsole, on the left Navigation Toolbar, click on the "MANAGE & SETTINGS "
B. In the upper middle section, click on the Blades
C. In the General section, click on the Inspection Settings... button

Example:

(11) Troubleshooting VoIP trafﬁc on Check Point Security Gateway

(11-1) Things that can go wrong

• Illegal redirection.
• Entry in the kernel table 'sip_state' disappears before the call is terminated.
• Early NAT / Late NAT is not performed.
• RTP is translated to an odd port.
• RTCP != RTP+1.
• Ports are not translated consistently.
• Ports leak (entries in the kernel table 'fwx_sticky_port' that are not deleted after entries in the kernel table 'fwx_pending' and connections entries in the kernel table 'connections' are
expired).
• Internal IP addresses are seen by the external host.
• No un-NAT when needed (Int2Int calls).
• Content length is incorrect after NAT.
• Memory leaks.
• SIP tables are not synchronized between cluster members.
• TCP connections do not survive failover in cluster.
• SIP / RTP is not encrypted even though a VPN is conﬁgured.
• Calls do not survive policy installation.

(11-2) General action plan

• Classify the problem - Signaling or Media connections.

• Check whether it is a Known Limitation (refer to 'Known Limitations' pages on SecureKnowledge).

• Check the VoIP Administration Guide.

• Disable all special/advanced features and Software Blades and re-test:

◦ NAT

31 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

◦ SecureXL
◦ ClusterXL
◦ VPN
◦ etc.

• Collect the relevant debugs - refer to the Debugging Check Point Security Gateway section and to the Debug instructions section.

• Contact Check Point Support to for assistance.

Provide all the required information about the environment:

◦ Involved protocols (UDP, TCP, video, audio, etc.).

◦ All IP addresses and ports, including NAT.
◦ SmartView Tracker logs.
◦ Clients and Server types.
◦ Rule base configuration (Security and NAT).
◦ IPS configuration.
◦ Additional Software Blades (NAT, SecureXL, CoreXL, VPN, etc.).
◦ Topology diagram that depicts all machines involved in this VoIP issue.
◦ CPinfo file from all involved Security Gateways.
◦ CPinfo file from all involved Management Server.
◦ Kernel Debug and Traffic Captures - from the beginning of the VoIP session.

(12) Debugging Check Point Security Gateway

In order to see how the Security Gateway processes the trafﬁc, and how the internal components are working, a debug of Check Point kernel should be run on this Security Gateway (depending on the
issue, it might also be required to run a debug of the relevant user space daemon).

Some debugs print so much information, that the load on CPU might increase to 100% and render the Security Gateway unresponsive.

Note: It is always recommended to run the kernel debug during a scheduled maintenance window in order to minimize the impact on production trafﬁc and on users.

(12-1) Debugging syntax

[Expert@GW_HostName]# fw ctl debug -h

• To display all kernel debugging modules and all their ﬂags that this machine supports :

[Expert@GW_HostName]# fw ctl debug -m

• To display all kernel debugging modules and their ﬂags that were turned on :

[Expert@GW_HostName]# fw ctl debug

• To display all debugging ﬂags that were turned on for this kernel debugging module:

[Expert@GW_HostName]# fw ctl debug -m MODULE

• To set default kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

Notes:
◦ Some debug ﬂags are enabled by default (error, warning) in various kernel debugging modules, so that some generic messages are printed into Operating System log (Linux
OS: /var/log/messages; Windows OS: Event Viewer).
◦ This command should be issued before starting any kernel debug.
◦ This command must be issued to stop the kernel debug.

• To unset all kernel debug options:

[Expert@GW_HostName]# fw ctl debug -x

Note:
◦ This unsets all debug ﬂags, which means that none of the relevant messages will be printed. Default debug ﬂags should be enabled.

• To set kernel debugging buffer:

[Expert@GW_HostName]# fw ctl debug -buf 32000

Notes:
◦ Default size of the debugging buffer is 50 KB
◦ Maximal size of the debugging buffer is 32768 KB
◦ Unless the size of the debugging buffer is increased from default 50 KB, the debug will not be redirected to a ﬁle (debug messages will be printed into Operating System
log)
◦ Debug messages are collected in this buffer, and a user space process ($FWDIR/bin/fw) collects them and prints into the output ﬁle.

• To print debug messages into the output ﬁle (start the kernel debug):

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

32 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Note:
◦ If you need to use this command in shell scripts, then add an ampersand at the end to run the command in the background (fw ctl kdebug -T -f > /var/log/debug.txt &).

• To stop the kernel debug:

Press CTRL+C and set the default kernel debug options

[Expert@GW_HostName]# fw ctl debug 0

Note:
◦ If you started the kernel debug via shell script, the you should just set the default kernel debug options.

Important Notes about ' cpstop' and ' cpstart':

• When running the 'cpstop' command, all Check Point services are stopped - and the kernel debug will stop printing debug messages.

• When running the 'cpstart' command (after the 'cpstop'), the kernel debug will continue printing debug messages.

Important Notes about Security Gateway in VSX mode:

• In VSX NGX / VSX R6x , the kernel debug commands can be run from context of any Virtual Device.

• In VSX R6x , if you wish to filter the debug for messages only from specific Virtual Devices, then use specify the relevant VSID in the syntax when setting flags:

[Expert@GW_HostName:0]# fw ctl debug -v <VSID1>, <VSID2> -m MODULE + flags

Note: Refer to VSX NGX R65 Administration Guide - 'Per Virtual System Debugging'.

• In R75.40VS and above , you have to switch to the context of the speciﬁc Virtual Device, and then run the usual debugging commands:

[Expert@GW_HostName:0]# vsenv <VSID>

[Expert@GW_HostName:<VSID>]# fw ctl debug ...

(12-2) Debugging action plan

1. Prepare the kernel debug options:

A. Set default kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

Should get this message:

Defaulting all kernel debugging options

B. Set kernel debug buffer:

[Expert@GW_HostName]# fw ctl debug -buf 32000

Should get this message:

Initialized kernel debugging buffer to size 32000K

Note:
• Any other message means that there was a problem allocating the buffer, and you should not continue until that issue is resolved (e.g., "Failed to allocate kernel
debugging buffer").

C. Set relevant kernel debug ﬂags in relevant kernel debugging modules:

[Expert@GW_HostName]# fw ctl debug -m MODULE + FLAG1 FLAG2 ... FLAGn

or
[Expert@GW_HostName]# fw ctl debug -m MODULE all

Should get this message:

Updated kernel's debug variable for module MODULE

Note:
• Pay close attention to the name of the kernel debug module.

2. Verify the kernel debug options:

[Expert@GW_HostName]# fw ctl debug -m MODULE

Should get this output:

Kernel debugging buffer size: 32000KB
Module: MODULE
Enabled Kernel debugging options: LIST OF FLAGS

Notes:
• Pay close attention to the size of the kernel debugging buffer.
• Pay close attention to the name of the kernel debugging module.
• The order of the ﬂags in this output does not matter - just all the ﬂags you set have to be here.

33 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

3. Start the kernel debug:

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

Should see the blinking cursor - the debug has started.

You can open a new shell and verify that the information is written into the output ﬁle:
[Expert@GW_HostName]# tail -f /var/log/debug.txt

4. If needed, start capturing the relevant trafﬁc:

A. Start Check Point FW Monitor (refer to sk30583).

B. Start TCPdump on relevant interfaces (refer to TCPdump manual page).

Note:
• It is strongly recommended to ﬁlter only the relevant trafﬁc.

5. Replicate the issue:

A. Initiate the problematic trafﬁc (write down exact times, IP addresses, ports, etc).

B. Repeat the steps that lead to unwanted behaviour.

C. Make sure the issue was replicated.

6. Stop the kernel debug and set default kernel debug options:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc captures:

Press CTRL+C

8. Collect the debug output files (from kernel debug and traffic captures) and all other related files (OS logs, CPinfo files, daemons' logs, SmartView Tracker logs, etc).

(12-3) Debugging Modules and Flags

This section covers the most relevant kernel parameters and debugging modules.

Note: Contact Check Point Support to get more precise debug instructions that are relevant to your speciﬁc issue.

Global Kernel parameters

Before starting the kernel debug itself, pay attention to the following global kernel parameters relevant to relevant to cluster issues (after debug, set the default values):

• Disable this kernel parameter to disable the limit on the debug messages time window (default - 60 ; zero - disables the limit):

[Expert@Member_HostName]# fw ctl set int fw_kdprintf_limit_time 0

• Disable this kernel parameter to disable the limit on the amount of debug messages (default - 30 ; zero - disables the limit) that are printed within speciﬁed time (fw_kdprintf_limit_time):

[Expert@Member_HostName]# fw ctl set int fw_kdprintf_limit 0

• Set this kernel parameter to print the dump of each packet when 'packet' ﬂag is enabled in 'fw' module (very helpful for Check Point RnD):

[Expert@Member_HostName]# fw ctl set int fw_debug_dump_packet 1

Notes:
◦ This parameter is available only in R75.40VS, in R76, in R77 and above.
◦ Enabling the debug with ﬂag 'packet' in 'fw' module creates high load on CPU.
◦ Enabling the parameter 'fw_debug_dump_packet' creates high load on CPU.

Kernel debugging modules and debug ﬂags

• Firewall module: fw ctl debug -m fw + flag1 flag2 ... flagN

Flag Explanation

conn Connections Table issues

drop Associates a reason for (almost) every dropped packet

error Various general error messages (enabled by default)

hold Holding mechanism and all packets being held / released

Kernel dynamic tables infrastructure - reads and writes to the

ld
tables (machine can hang!)

34 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

link Link creation in Connections Table

log Everything related to creating of logs

Media Gateway Control Protocol (complementary to H.323 and

mgcp
SIP)

MSN over MSMS (MSN Messenger protocol) - always include

msnms
'sip' ﬂag

nat NAT issues - basic information

sip VoIP trafﬁc - SIP and H.323

sync ClusterXL - state synchronization operations

ua VoIP trafﬁc - Universal Alcatel "UA" Protocol

vm Virtual Machine chain decisions

warning Various general warning messages (enabled by default)

xlate NAT issues - basic information

NAT issues - additional information - going through NAT

xltrc
rulebase

• Check Point Active Streaming module: fw ctl debug -m CPAS + flag1 flag2 ... flagN

Flag Explanation

api Interface layer messages

Detailed description of connections, and connection's limit-

conns
related messages

error Errors: the connection is probably rejected

events Event-related messages

glue Glue layer messages

pkts Packets handling messages (allocation, splitting, resizing, etc.)

SCCP (Skinny Client Control Protocol) - Cisco proprietary VoIP

skinny
protocol

sync ClusterXL - state synchronization operations

tcp TCP processing messages

tcpinfo TCP processing messages - more detailed description

Reports of timer ticks (pours many messages, without real

timer
content)

warning Warnings: may affect connection's behavior

• H.323 module: fw ctl debug -m h323 + flag1 flag2 ... flagN

Flag Explanation

align VoIP debug general messages (e.g., VoIP infrastructure)

CPAS TCP debug messages - since H323 : H225 and H245 are
over TCP ;
cpas
Note: this ﬂag is not included when debug is run with "all" ﬂag
(fw ctl debug -m h323 all)

decode H.323 decoder messages

error Various general error messages (enabled by default)

H.225 call signaling messages (SETUP, CONNECT, RELEASE

h225
COMPLETE, etc.)

H.245 control signaling messages (OPEN LOGICAL CHANNEL,

h245
END SESSION COMMAND, etc.)

init Used for internal errors

H225 RAS messages (REGISTRATION, ADMISSION, and

ras
STATUS REQUEST / RESPONSE)

• Cluster module: fw ctl debug -m cluster + flag1 flag2 ... flagN

Refer to sk93306 - ATRG: ClusterXL R6x and R7x - chapter 'ClusterXL Debugging'.

Flag Explanation

accel Related to status and support of SecureXL (use with 'conf')

conf Conﬁguration and policy installation

35 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Decision Function - decides, which member will handle each

df
packet in a Load Sharing mode

Connections dropped by the CXL Decision Function (DF) module

drop
- excluding CCP packets

Forwarding Layer messages - sending and receiving a

forward
forwarded packet

Creating and sending of logs by cluster (should be used in

log
parallel with 'log' ﬂag in 'fw' module)

pivot All decisions made in ClusterXL Load Sharing Unicast

pnote Related to registering and monitoring of critical devices (pnotes)

select Packet selection - including Decision Function (DF)

stat Related to state of cluster members (state machine)

(13) Debug instructions

General debug instructions are provided below

Note: Contact Check Point Support to get more precise debug instructions that are relevant to your speciﬁc issue.

(13-1) Issues with SIP over UDP trafﬁc

1. Prepare the kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

[Expert@GW_HostName]# fw ctl debug -buf 32000
[Expert@GW_HostName]# fw ctl debug -m fw + mgcp sip conn drop vm nat xlate xltrc

Note: It is also recommended to enable the 'ld' ﬂag in the 'fw' module. Warning: this ﬂag causes high CPU load.

2. Verify the kernel debug options:

[Expert@GW_HostName]# fw ctl debug -m fw

3. Start the kernel debug:

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

4. Start the trafﬁc capture in another shell

[Expert@GW_HostName]# fw monitor -e "host(X.X.X.X), accept;" -o /var/log/fw_mon.cap

5. Replicate the issue.

6. Stop the kernel debug:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc capture in another shell:

Press CTRL+C

8. Collect the debug output ﬁles:

9. /var/log/debug.txt
10.
11. /var/log/fw_mon.cap
12.

(13-2) Issues with SIP over TCP trafﬁc

1. Prepare the kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

[Expert@GW_HostName]# fw ctl debug -buf 32000
[Expert@GW_HostName]# fw ctl debug -m fw + mgcp sip conn drop vm nat xlate xltrc
[Expert@GW_HostName]# fw ctl debug -m CPAS all

Note: It is also recommended to enable the 'ld' ﬂag in the 'fw' module. Warning: this ﬂag causes high CPU load.

2. Verify the kernel debug options:

[Expert@GW_HostName]# fw ctl debug -m fw

[Expert@GW_HostName]# fw ctl debug -m CPAS

3. Start the kernel debug:

36 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

4. Start the trafﬁc capture in another shell

[Expert@GW_HostName]# fw monitor -e "host(X.X.X.X), accept;" -o /var/log/fw_mon.cap

5. Replicate the issue.

6. Stop the kernel debug:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc capture in another shell:

Press CTRL+C

8. Collect the debug output ﬁles:

9. /var/log/debug.txt
10.
11. /var/log/fw_mon.cap
12.

(13-3) Issues with H.323 trafﬁc

1. Prepare the kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

[Expert@GW_HostName]# fw ctl debug -buf 32000
[Expert@GW_HostName]# fw ctl debug -m fw + mgcp sip conn drop vm nat xlate xltrc
[Expert@GW_HostName]# fw ctl debug -m h323 all
[Expert@GW_HostName]# fw ctl debug -m CPAS all

Note: It is also recommended to enable the 'ld' ﬂag in the 'fw' module. Warning: this ﬂag causes high CPU load.

2. Verify the kernel debug options:

[Expert@GW_HostName]# fw ctl debug -m fw

[Expert@GW_HostName]# fw ctl debug -m h323
[Expert@GW_HostName]# fw ctl debug -m CPAS

3. Start the kernel debug:

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

4. Start the trafﬁc capture in another shell

[Expert@GW_HostName]# fw monitor -e "host(X.X.X.X), accept;" -o /var/log/fw_mon.cap

5. Replicate the issue.

6. Stop the kernel debug:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc capture in another shell:

Press CTRL+C

8. Collect the debug output ﬁles:

9. /var/log/debug.txt
10.
11. /var/log/fw_mon.cap
12.

(13-4) Issues with SCCP (Skinny) trafﬁc

1. Prepare the kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

[Expert@GW_HostName]# fw ctl debug -buf 32000
[Expert@GW_HostName]# fw ctl debug -m fw + conn drop vm nat xlate xltrc
[Expert@GW_HostName]# fw ctl debug -m CPAS all

Note: It is also recommended to enable the 'ld' ﬂag in the 'fw' module. Warning: this ﬂag causes high CPU load.

2. Verify the kernel debug options:

37 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

[Expert@GW_HostName]# fw ctl debug -m fw

[Expert@GW_HostName]# fw ctl debug -m CPAS

3. Start the kernel debug:

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

4. Start the trafﬁc capture in another shell

[Expert@GW_HostName]# fw monitor -e "host(X.X.X.X), accept;" -o /var/log/fw_mon.cap

5. Replicate the issue.

6. Stop the kernel debug:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc capture in another shell:

Press CTRL+C

8. Collect the debug output ﬁles:

9. /var/log/debug.txt
10.
11. /var/log/fw_mon.cap
12.

(13-5) Issues with Windows Messenger trafﬁc

1. Prepare the kernel debug options:

[Expert@GW_HostName]# fw ctl debug 0

[Expert@GW_HostName]# fw ctl debug -buf 32000
[Expert@GW_HostName]# fw ctl debug -m fw + mgcp sip msnms conn drop vm nat xlate xltrc
[Expert@GW_HostName]# fw ctl debug -m CPAS all

Note: It is also recommended to enable the 'ld' ﬂag in the 'fw' module. Warning: this ﬂag causes high CPU load.

2. Verify the kernel debug options:

[Expert@GW_HostName]# fw ctl debug -m fw

[Expert@GW_HostName]# fw ctl debug -m CPAS

3. Start the kernel debug:

[Expert@GW_HostName]# fw ctl kdebug -T -f > /var/log/debug.txt

4. Start the trafﬁc capture in another shell

[Expert@GW_HostName]# fw monitor -e "host(X.X.X.X), accept;" -o /var/log/fw_mon.cap

5. Replicate the issue.

6. Stop the kernel debug:

Press CTRL+C
[Expert@GW_HostName]# fw ctl debug 0

7. Stop the trafﬁc capture in another shell:

Press CTRL+C

8. Collect the debug output ﬁles:

9. /var/log/debug.txt
10.
11. /var/log/fw_mon.cap
12.

(14) Overview of SmartView Tracker logs

• (14-1) All protocols

Log Message Possible Cause Suggested solution IPS protection

1. If a VoIP domain is not required, delete

◦ A VoIP Domain object was deﬁned, but
the VoIP domain object.
Illegal redirect X.X.X.X -> was not included in the rulebase.
2. If a hand over domain is required, add
X.X.X.X ◦ These IP addresses do not belong to the
the hand over domain to the rulebase.
related endpoints.
3. If a hand over domain is required, add

38 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

the related endpoints' IP addresses to

the corresponding hand over domain.

◦ Either increase the number of allowed

The number of call attempts exceeded the
call attempts in the IPS "VoIP Denial 'IPS' tab - Protections - By Protocol -
Host exceeded call limit (possible number deﬁned in the IPS "VoIP Denial of
of Service" protection, Application Intelligence - VoIP - VoIP Denial of
spam or DoS attack) Service" protection. Further packets were
◦ Or disable the IPS "VoIP Denial of Service - select the relevant IPS Proﬁle
rejected.
Service" protection.

• (14-2) SIP

Log Message Possible Cause Suggested solution IPS protection

This message can appear for numerous

Contact Check Point Support after you collect
NOTIFY message out of state messages, not only for NOTIFY. It usually
the relevant SIP debug.
indicates a problem in the SIP state machine.

In the rulebase, add the

Violated unidirectional connection Trying to use bi-directional SIP connections. 'sip_dynamic_ports' service (located in the
'Other' group) to the corresponding SIP rule.

Connection contains real IP of A real IP address appeared instead of the Contact Check Point Support after you collect

NATed address NATed IP address. the relevant SIP debug.

Malformed SIP datagram, invalid Security Gateway expected a certain ﬁeld in Contact Check Point Support after you collect

SIP headers the SIP packet, but the ﬁeld is missing. the relevant SIP debug.

Follow these steps:

1. Close all SmartConsole windows

(SmartDashboard, SmartView Tracker,
SmartView Monitor, etc.).

2. Connect to Security Management Server

with GuiDBedit Tool.

3. In the left upper pane, go to 'Table' -

'Managed Objects' - 'asm'.

4. In the right upper pane, select the

relevant IPS profile (Class Name =
Disable the "Block the destination advanced_security).
from re-inviting calls" setting in the
relevant IPS profile. 5. Press CTRL+F (or go to 'Search' menu
Enforcing major security - - 'Find') - paste
The destination tries to reinvent a call.
reinvents rejected Note: This setting prevents the destination sip_enforce_security_reinvite
from opening additional data connections with - click on 'Find Next'.
IP addresses that are not the same as the first
data connection while a call is still active. 6. In the lower pane, right-click on the
sip_enforce_security_reinvite
- 'Edit...' - choose "false" - click on
'OK'.

7. Save the changes: go to 'File' menu -

click on 'Save All'.

8. Close the GuiDBedit Tool.

9. Connect to Security Management Server

with SmartDashboard.

10. Install the policy onto the relevant

Security Gateway / Cluster object.

Increase the value of "Maximum

'IPS' tab - Protections - By Protocol -
The number of maximum allowed invitations invitations per call (from both
Reinvents exceeds the limit Application Intelligence - VoIP - SIP - SIP
per call has been exceeded. directions)" in the IPS "SIP
Protections - select the relevant IPS Proﬁle
Protections" protection.

• (14-3) H.323

Log Message Possible Cause Suggested solution IPS protection

1. Reopen the H.323 client to register the

new details again.
The 'h323_registration' kernel table is
Received Unregistration request 2. Adjust the 'Virtual Session
empty and the phone executed an
without prior registration Timeout' values in the 'Advanced
'Unregistration' request.
Service Properties' window of the
H323_ras service.

Invalid H.225 session. Not H.225 packets were received without a 'Setup' Check the network / routing conﬁguration on

initialized with Setup Message message. the network.

ACF/GRQ/GCF/LRQ/LCF were received Check the network / routing conﬁguration on

Confirm to unknown request
without a prior 'ARQ'. the network.

39 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

Malformed RAS message. No source Security Gateway supports the phone number Verify that the destination/source number are

phone number found in an E.164 format. in an E.164 format.

• (14-4) MGCP

Log Message Possible Cause Suggested solution IPS protection

'IPS' tab - Protections - By Protocol -

Unallowed MGCP datagram, command This message is not in the list of allowed Add the command to the list of Allowed
Application Intelligence - VoIP - MGCP - select
blocked commands in the IPS "MGCP" protection. Commands in the IPS "MGCP" protection.
the relevant IPS Proﬁle

broadcast/multicast addresses are

not accepted (client)
Disable the "Drop multicast RTP 'IPS' tab - Protections - By Protocol -
broadcast/multicast addresses are The IPS "MGCP" protection was conﬁgured to
connections" option in IPS "MGCP" Application Intelligence - VoIP - MGCP - select
not accepted (server) drop multicast RTP connections.
protection. the relevant IPS Proﬁle
Note: This log does not exist in R76, R77 and
above.

A message between the Call Manager and the

Connection contains real IP of Check that your conﬁguration and topology is
Security Gateway should be NATed, but
NATed address supported by Check Point.
contains the real IP address.

• (14-5) SCCP (Skinny)

Log Message Possible Cause Suggested solution IPS protection

'IPS' tab - Protections - By Protocol -

The speciﬁc SCCP protocol is not supported by
Unknown SCCP message type Contact Check Point Support. Application Intelligence - VoIP - SCCP (Skinny)
the Security Gateway.
- select the relevant IPS Proﬁle

A message between the Call Manager and the NAT for SCCP service is not supported by
Connection contains real IP of
Security Gateway should be NATed, but Security Gateway. NAT should not be applied
NATed address
contains the real IP address. on the Call Manager and its related endpoints.

• (14-6) MSN over SIP

Log Message Possible Cause Suggested solution IPS protection

◦ The service ◦ Use the service

'MSN_Messenger_File_Transfer' is 'MSN_Messenger_File_Transfer' 'IPS' tab - Protections - By Protocol -
File Transfer is not allowed by not allowed explicitly in the rulebase. explicitly in the rulebase. Application Intelligence - Instant Messengers
the security policy ◦ "Block file transfer" option is ◦ Disable the "Block file transfer" - MSN Messenger over SIP - select the
enabled in the "MSN Messenger over option in the "MSN Messenger over relevant IPS Proﬁle
SIP" protection. SIP" protection.

'IPS' tab - Protections - By Protocol -

"Block application sharing" option is Disable the "Block application
Application Sharing is not allowed Application Intelligence - Instant Messengers
enabled in the "MSN Messenger over SIP" sharing" option in the "MSN Messenger
by the security policy - MSN Messenger over SIP - select the
protection. over SIP" protection.
relevant IPS Proﬁle

'IPS' tab - Protections - By Protocol -

Whiteboard is not allowed by the "Block white board" option is enabled in Disable the "Block white board" option in Application Intelligence - Instant Messengers
security policy the "MSN Messenger over SIP" protection. the "MSN Messenger over SIP" protection. - MSN Messenger over SIP - select the
relevant IPS Proﬁle

'IPS' tab - Protections - By Protocol -

"Block remote assistant" option is Disable the "Block remote assistant"
Remote Assistance is not allowed Application Intelligence - Instant Messengers
enabled in the "MSN Messenger over SIP" option in the "MSN Messenger over SIP"
by the security policy - MSN Messenger over SIP - select the
protection. protection.
relevant IPS Proﬁle

"Block SIP-based Instant Messaging" Disable the "Block SIP-based Instant 'IPS' tab - Protections - By Protocol -
Instant Messaging is not allowed
option is enabled in the IPS "SIP Messaging" option in the IPS "SIP Application Intelligence - VoIP - SIP - SIP
by the security policy
Filtering" protection. Filtering" protection. Filtering - select the relevant IPS Proﬁle

'IPS' tab - Protections - By Protocol -

"Block calls using a proxy or a Disable the "Block calls using a proxy
Illegal redirect X.X.X.X -> Application Intelligence - VoIP - SIP - SIP
redirect server" option is enabled in the or a redirect server" option in the IPS
X.X.X.X Custom Properties - select the relevant IPS
IPS "SIP Custom Properties" protection. "SIP Custom Properties" protection.
Proﬁle

(15) Documentation
(15-1) Check Point Release Notes

R70, R70.10, R70.20, R70.30, R70.40, R70.50, R71, R71.10, R71.20, R71.30, R71.40, R71.45, R71.50, R75, R75.10, R75.20, R75.30, R75.40, R75.40VS, R75.45, R75.46,
Release Notes
R75.47, R76, R77

(15-2) Check Point Administration Guides

Firewall Administration Guide R70, R71, R75, R75.20, R75.40

VoIP Administration Guide R75.40VS , R76 , R77

Command Line Interface Reference

R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77
Guide

(15-3) RFC

Session Initiation Protocol (SIP) • RFC 3261 - Latest SIP RFC

• RFC 3372 - SIP-T

40 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

• RFC 3311 - UPDATE message

• RFC 2976 - INFO message
• RFC 3515 - REFER message
• RFC 3265 - SIP Events
• RFC 3266 - IPv6 in SDP
• RFC 3262 - Reliability of Provisional responses
• RFC 3428 - MESSAGE message, MSN messenger over SIP, SIP over TCP, SIP over UDP, SIP early media

• RFC 3435 - MCGP v1.0

Media Gateway Control Protocol
• J.171 - Trunking Gateway Control Protocol (TGCP) Proﬁle 2
(MGCP)
• RFC 3661 - Media Gateway Control Protocol (MGCP) Return Code Usage

(15-4) External references

• Wikipedia: Session Initiation Protocol

SIP • IANA: IANA: SIP Parameters
• Packetizer®: http://www.packetizer.com/ipmc/sip/

SDP • Wikipedia: Session Description Protocol

• Wikipedia: H.323
• Cisco: H.323
H.323
• Packetizer®: http://www.packetizer.com/ipmc/h323/
• H.323 Forum: http://www.h323forum.org

RTP • Wikipedia: Real-time Transport Protocol

RTCP • Wikipedia: RTP Control Protocol

• Wikipedia: Media Gateway Control Protocol

MGCP
• Cisco: Media Gateway Control Protocol (MGCP)

• Wikipedia: Skinny Call Control Protocol (SCCP)

SCCP (Skinny)
• Cisco: Skinny Call Control Protocol (SCCP)

• Wikipedia: Windows Messenger

Windows Messenger • Microsoft: Description of the Windows Messenger client basic protocol port usage for instant messaging, ﬁle transfer, audio, and video
• Microsoft: Network ports and URLs that are used by Windows Live Messenger

(16) Related solutions and documents

(16-1) Conﬁguration

sk60323 - How To Secure VoIP

sk14587 - How to conﬁgure VoIP (H.323)

Enlarging kernel tables for concurrent SIP calls

sk32100 - H323 support

sk92858 - How to control IPS inspection of H323 trafﬁc

sk20371 - What is the difference between "H323" and "H323_any" services?

sk41075 - What are the NAT restrictions for SIP (Session Initiation Protocol)?

sk98354 - Ability to completely disable NAT of H323 packets on speciﬁc Security Gateway with no dependency on the NAT rulebase

sk41548 - Does Check Point support RTSP over UDP?

sk35113 - Supporting SCTP IP protocol

sk35649 - Bypassing 'early nat' for MGCP

sk32474 - How to add an MGCP dynamic port service

sk31759 - What VoIP protocols are supported by VPN-1 Edge inspect engine?

sk113573 - Conﬁguring VoIP on Locally Managed 600 / 700 / 1100 / 1200R / 1400 appliances

(16-2) Troubleshooting

sk34298 - VoIP trafﬁc is dropped with the 'Illegal redirect' message in the SmartView Tracker

sk85301 - SIP packet dropped by illegal redirect

sk35563 - SmartView Tracker shows that SIP packets are dropped with "SIP Re-Invites exceeded the limit" log, or "Reinvites exceed the limit" log

sk104786 - Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway

sk36185 - VoIP trafﬁc fails when Manual NAT is used

sk115038 - Audio in SIP call is only in one way on SNX client when Ofﬁce Mode IP address is hidden behind Static NAT

sk113749 - H.323 VoIP call drops after exactly one hour because Keep Alive "ACK" packets are not forwarded to the VoIP client

sk114977 - Security Gateway / Active cluster member freezes / locks up randomly when processing H.323 trafﬁc

sk92814 - SIP/MGCP packets that should be encrypted are sent in clear text when SecureXL is enabled on R75.40VS

sk80160 - VSX Virtual System drops VoIP trafﬁc with 'Encrypted packet on non encryption connection'

41 of 42 10/10/2021 14:53
ATRG: VoIP https://supportcenter.checkpoint.com/supportcenter/?eventSubmit_doGo...

sk93034 - Media (RTP) does not pass over VoIP call initiated from Cisco Uniﬁed Communications Manager (CUCM) v8.6.2 to Media Gateway through Check Point Security Gateway

sk44266 - VoIP calls pass only one direction when using SIP

sk68221 - Dropped SIP trafﬁc with "Malformed SIP datagram"

sk34822 - MGCP trafﬁc is not passing through the Security Gateway because of 'Buffer for Endpoint IP too short'

sk65072 - How to disable 'fw early SIP nat' chain / SIP inspection

sk34537 - "Unknown SCCP message type" error message

sk66295 - MGCP packets with Response Code 100 are dropped by Security Gateway

sk43033 - The FW answers SYN packets on port 1720 - H.323

sk37452 - SIP packets with over 30 headers are blocked by the Security gateway

sk42370 - Call from or to a SIP agent cannot be established

sk94846 - SIP trafﬁc is dropped by IPS with "SIP Keep-Alive messages are not allowed" error

sk93752 - 'sip reason: Too many streams in SDP' drop log in SmartView Tracker

sk39078 - SIP deregister message gets dropped with reason "First packet isn't SYN"

sk42337 - Video trafﬁc over H323 protocol disconnects after about 50-60 minutes

sk35945 - RTSP trafﬁc is dropped when SecureXL is enabled

sk43767 - NATed RTSP streaming trafﬁc stops passing after several day of normal functionality

sk92803 - Polycom Video conference over H323 (RSVP) is dropped by Security Gateway running on SecurePlatform/Gaia OS due to IP options in the packets

sk63600 - After upgrade from R7x to R75, H323-video conference from external is not established

sk92523 - Gateway does not record RTP session information correctly for SIP

sk31458 - VoIP H323 packets that are hidden behind NAT, are not translated correctly on a VPN-1 Edge device

sk32474 - Authorized MGCP trafﬁc is dropped by the Security Gateway

(16-3) Additional references

Firewall Software Blade

sk52421 - Ports used by Check Point software

sk31832 - How to prevent ClusterXL / VRRP / IPSO IP Clustering from hiding its own trafﬁc behind Virtual IP address (location of 'table.def')

sk30919 - Creating customized rules for Check Point Security Gateway - 'user.def' ﬁle (location of 'user.def')

sk92281 - Creating customized implied rules for Check Point Security Gateway - 'implied_rules.def' ﬁle (location of 'implied_rules.def')

sk95147 - Modifying deﬁnitions of packet inspection on Security Gateway for different protocols - 'base.def' ﬁle (location of 'base.def')

sk98722 - ATRG: SecureXL

sk98737 - ATRG: CoreXL

sk93306 - ATRG: ClusterXL R6x and R7x

sk98348 - Best Practices - Security Gateway Performance

sk33781 - Performance analysis for Security Gateway NGX R65 / R7x

sk65133 - Connections Table Format

(17) Revision history

Show / Hide revision history

Give us Feedback Please rate this document [1=Worst,5=Best]

Enter your comment here

Comment

SECURE YOUR EVERYTHING ™ Follow

Copyright | Privacy Policy

42 of 42 10/10/2021 14:53

IT601-P Mcqs FinalTerm by Vu Topper RM
No ratings yet
IT601-P Mcqs FinalTerm by Vu Topper RM
27 pages
Brkucc 2932 PDF
No ratings yet
Brkucc 2932 PDF
161 pages
FortiGate VoIP Solutions v.0.5
No ratings yet
FortiGate VoIP Solutions v.0.5
27 pages
Basic VoIP
67% (3)
Basic VoIP
147 pages
Acme Packet TechTalk Comprehensive SBC Design
100% (2)
Acme Packet TechTalk Comprehensive SBC Design
80 pages
IMS General BC en Theoretical Basic Inetface and Protocol IMS Protocol and Service Flow 1 PPT 201010 27
No ratings yet
IMS General BC en Theoretical Basic Inetface and Protocol IMS Protocol and Service Flow 1 PPT 201010 27
27 pages
Volte Ims Architecture and Sip Signalling
100% (3)
Volte Ims Architecture and Sip Signalling
60 pages
Brkucc 2006
No ratings yet
Brkucc 2006
287 pages
Traces
No ratings yet
Traces
125 pages
Brkucc 2006
No ratings yet
Brkucc 2006
194 pages
Ooredoo CME
No ratings yet
Ooredoo CME
16 pages
CP R80.40 VoIP AdminGuide
No ratings yet
CP R80.40 VoIP AdminGuide
70 pages
Voip 11s
No ratings yet
Voip 11s
57 pages
6.VoIP Signaling Call Control
No ratings yet
6.VoIP Signaling Call Control
68 pages
CP R81 VoIP AdminGuide
No ratings yet
CP R81 VoIP AdminGuide
71 pages
Unit V Slides
No ratings yet
Unit V Slides
164 pages
Hacking Voip Exposed: David Endler, Tippingpoint Mark Collier, Securelogix
No ratings yet
Hacking Voip Exposed: David Endler, Tippingpoint Mark Collier, Securelogix
69 pages
CP R77 VoIP AdministrationGuide
No ratings yet
CP R77 VoIP AdministrationGuide
68 pages
4.2 Voip
No ratings yet
4.2 Voip
57 pages
Test
No ratings yet
Test
150 pages
Network City - SIP
No ratings yet
Network City - SIP
6 pages
Security Defense
No ratings yet
Security Defense
14 pages
The Session Initiation Protocol (SIP)
No ratings yet
The Session Initiation Protocol (SIP)
215 pages
SEP Boxer RADIUS Attributes v15 0
No ratings yet
SEP Boxer RADIUS Attributes v15 0
57 pages
Sip 1
No ratings yet
Sip 1
143 pages
Chapter 3-Voice Over Internet Protocol (VOIP)
No ratings yet
Chapter 3-Voice Over Internet Protocol (VOIP)
60 pages
Tutorial Sip
100% (1)
Tutorial Sip
47 pages
Brkcol 2101P
No ratings yet
Brkcol 2101P
55 pages
Cube B2bua
No ratings yet
Cube B2bua
161 pages
Sysmontrace
No ratings yet
Sysmontrace
105 pages
iPECS Unified SIP Features
No ratings yet
iPECS Unified SIP Features
56 pages
Product Development Course G01 Presented To: Dr. Raafat El Fouly
No ratings yet
Product Development Course G01 Presented To: Dr. Raafat El Fouly
54 pages
CIPT1 v8.0 VoD-SLIDES
No ratings yet
CIPT1 v8.0 VoD-SLIDES
135 pages
Prefix and Source Ip Authentication For Incoming Voip Traffic
No ratings yet
Prefix and Source Ip Authentication For Incoming Voip Traffic
5 pages
Sip Trunk
No ratings yet
Sip Trunk
288 pages
Voip Signaling and Call Control: Cisco Networking Academy Program
No ratings yet
Voip Signaling and Call Control: Cisco Networking Academy Program
68 pages
BRKUCC-2932 TG - SIP Trunk
No ratings yet
BRKUCC-2932 TG - SIP Trunk
162 pages
SIP Advanced 160820
No ratings yet
SIP Advanced 160820
174 pages
Hacking VoIP Exposed
No ratings yet
Hacking VoIP Exposed
57 pages
Basics of Protocols SIP / H.323 / MGCP: Presented by Jonathan Cumming
No ratings yet
Basics of Protocols SIP / H.323 / MGCP: Presented by Jonathan Cumming
27 pages
SBC Trces and Confiddguration
No ratings yet
SBC Trces and Confiddguration
43 pages
Cisco Cube 2
No ratings yet
Cisco Cube 2
5 pages
Vo IP
No ratings yet
Vo IP
37 pages
MGCP and Its Working - TRACE - Example
No ratings yet
MGCP and Its Working - TRACE - Example
19 pages
Lte Poster2013 Web PDF
No ratings yet
Lte Poster2013 Web PDF
1 page
Ebook SIP DeepDive
No ratings yet
Ebook SIP DeepDive
17 pages
Challenges in Securing Voice Over IP: IEEE Security & Privacy Tomas T. Walsh D. Richard Kuhn
No ratings yet
Challenges in Securing Voice Over IP: IEEE Security & Privacy Tomas T. Walsh D. Richard Kuhn
17 pages
Voice Over Ip (Voip) : by Kiran Kumar Devaram Varsha Mahadevan Shashidhar Rampally
No ratings yet
Voice Over Ip (Voip) : by Kiran Kumar Devaram Varsha Mahadevan Shashidhar Rampally
37 pages
Lte Poster2013 Web PDF
No ratings yet
Lte Poster2013 Web PDF
1 page
Week2 VoIPandUC-2
No ratings yet
Week2 VoIPandUC-2
29 pages
August 29th, 2010 060300273 Hidalgo Arellano Salvador Indra IT3437 Network Selected Topics Homework:2 Team: 2
No ratings yet
August 29th, 2010 060300273 Hidalgo Arellano Salvador Indra IT3437 Network Selected Topics Homework:2 Team: 2
3 pages
BRKUCC-3662 - Troubleshooting SIP
No ratings yet
BRKUCC-3662 - Troubleshooting SIP
89 pages
The Sip Schools S Cao Pics
No ratings yet
The Sip Schools S Cao Pics
6 pages
Timenet Template Voip Patton SDTA
No ratings yet
Timenet Template Voip Patton SDTA
5 pages
(2021-January-New) Braindump2go 300-410 PDF Dumps and 300-410 VCE Dumps (112-124)
No ratings yet
(2021-January-New) Braindump2go 300-410 PDF Dumps and 300-410 VCE Dumps (112-124)
4 pages
SIP Features in Alcatel Enterprise CS OXE
No ratings yet
SIP Features in Alcatel Enterprise CS OXE
21 pages
Sip Flow
No ratings yet
Sip Flow
4 pages
Sip Notes New
No ratings yet
Sip Notes New
7 pages
VOIP Secure
No ratings yet
VOIP Secure
6 pages
Err 02
No ratings yet
Err 02
7 pages
How To Set Up A SOCKS Proxy Using Putty & SSH
No ratings yet
How To Set Up A SOCKS Proxy Using Putty & SSH
2 pages
156-585 Free Questions: Check Point Certified Troubleshooting Expert
No ratings yet
156-585 Free Questions: Check Point Certified Troubleshooting Expert
11 pages
Check Point Security Administration III NGX Searchable
No ratings yet
Check Point Security Administration III NGX Searchable
460 pages
Ssrffinal
No ratings yet
Ssrffinal
23 pages
CCNA 1 Â " Module 3 Exam Answers
No ratings yet
CCNA 1 Â " Module 3 Exam Answers
5 pages
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
No ratings yet
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
7 pages
04-CCTE Guide
No ratings yet
04-CCTE Guide
213 pages
API Testing Test Cases
No ratings yet
API Testing Test Cases
6 pages
List of Broswers For Windows.: Logo Browser Name & Developer Internet Explorer
No ratings yet
List of Broswers For Windows.: Logo Browser Name & Developer Internet Explorer
7 pages
Trackers List
No ratings yet
Trackers List
2 pages
Deep Security 9 SP1 p5 Admin Guide PT1
No ratings yet
Deep Security 9 SP1 p5 Admin Guide PT1
234 pages
Footprinting Module
No ratings yet
Footprinting Module
15 pages
Deep Security 9 SP1 p5 Admin Guide PT2
No ratings yet
Deep Security 9 SP1 p5 Admin Guide PT2
340 pages
SWIFTNet Server Documentation PDF
No ratings yet
SWIFTNet Server Documentation PDF
6 pages
Walking Through
No ratings yet
Walking Through
3 pages
Interaction File URL
No ratings yet
Interaction File URL
61 pages
Pop3s & SMTPS
No ratings yet
Pop3s & SMTPS
9 pages
CP Appliance HW Diagnostic Tool AdminGuide
No ratings yet
CP Appliance HW Diagnostic Tool AdminGuide
10 pages
Microsoft Outlook Configration Guide
No ratings yet
Microsoft Outlook Configration Guide
14 pages
Lab # 05 (System Programming: Squid Proxy Server)
No ratings yet
Lab # 05 (System Programming: Squid Proxy Server)
20 pages
Qp3wjpa3tjlj042z2wv7hahsldgwhwy0rq9sywjpyy en Usd 2009-01!03!2024!07!20 3
No ratings yet
Qp3wjpa3tjlj042z2wv7hahsldgwhwy0rq9sywjpyy en Usd 2009-01!03!2024!07!20 3
20 pages
Снимок экрана 2025-01-01 в 22.24.37
No ratings yet
Снимок экрана 2025-01-01 в 22.24.37
4 pages
Input Information in Email Setting
No ratings yet
Input Information in Email Setting
4 pages
Express Way MRA Overview-And-Planning
No ratings yet
Express Way MRA Overview-And-Planning
10 pages
DOTNET Namespaces
No ratings yet
DOTNET Namespaces
18 pages
Lights Out Management (Lom) : Administration Guide
No ratings yet
Lights Out Management (Lom) : Administration Guide
37 pages
Deploying Jabber in A Virtual Environment
No ratings yet
Deploying Jabber in A Virtual Environment
56 pages
Nepal Telecom Exam Preparation (Level 7) : Dipak Kumar Nidhi
No ratings yet
Nepal Telecom Exam Preparation (Level 7) : Dipak Kumar Nidhi
31 pages
(MS Ocer) 180724
No ratings yet
(MS Ocer) 180724
208 pages
Passwordless Solaris To Linux
No ratings yet
Passwordless Solaris To Linux
2 pages
Info Hash Torrent Searching Technique - CE55
No ratings yet
Info Hash Torrent Searching Technique - CE55
3 pages
Alpha Network
No ratings yet
Alpha Network
3 pages
Crypto 13
No ratings yet
Crypto 13
5 pages
Email Bit Ninja
No ratings yet
Email Bit Ninja
3 pages
Name-Shubhankar Kesari Id No - 19BAJMC024 Submitted To-Rishabh Chaudhary
No ratings yet
Name-Shubhankar Kesari Id No - 19BAJMC024 Submitted To-Rishabh Chaudhary
5 pages
L10 SecurityProgramming
No ratings yet
L10 SecurityProgramming
39 pages
Ota Revised
No ratings yet
Ota Revised
12 pages
Setup hMailServer To Use A SSL Certificate - Dovetail Software
No ratings yet
Setup hMailServer To Use A SSL Certificate - Dovetail Software
5 pages