Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Basic Configuration

In This Section:

VoIP in SmartDashboard

Basic Configuration Workflow

Defining the SIP Server

Defining the SIP Endpoints

Defining the Security Rule

Testing the Configuration

VoIP in SmartDashboard

VoIP in SmartDashboard is configured in two places:

  • On the Firewall tab

    Use the Firewall tab to configure:

    • Security rules for VoIP traffic
    • Host and Network objects for VoIP Endpoints and Servers
    • NAT on VoIP Endpoint and Server objects
  • On the IPS tab

    Use the IPS tab to:

    • Configure VoIP Engine settings for each protocol (SIP, H.323, MGCP and SCCP)
    • Apply VoIP IPS protections

    IPS tab > Protections > By Protocol > IPS Software Blade > Application Intelligence > VoIP

Basic Configuration Workflow

This section describes the workflow for a basic SIP configuration.

We assume:

  • You have installed a Security Gateway and Security Management Server.
  • The VoIP phones in the external networks are:
    • Not behind a NAT device or
    • Behind a NAT device that is VoIP-aware

To configure VoIP:

  1. Log in to SmartDashboard.
  2. Define the Security Gateway.
  3. Define the VoIP server.
  4. Define the VoIP endpoints.
  5. Define a VoIP security rule.
  6. Install the Security Policy.
  7. Test the configuration.

Defining the SIP Server

To define a SIP server (also known as a SIP Proxy or a Registrar) use the regular Host object in:

SmartDashboard > Network Objects > New > Check Point > Host...

For example, name the host: sip_server_host.

Defining the SIP Endpoints

Define the internal VoIP phones (endpoints) by:

  • Defining networks or host objects or
  • A group of hosts and network objects

For example, a group of internal networks might be named: internal_net.

Defining the Security Rule

Configure a simple security rule that allows traffic between endpoints on the internal network and the SIP server in the external network.

  1. Click the Security tab.
  2. Add this rule and install the policy:

Source

Destination

Service

Action

internal-net

sip_server_host

sip_server_host

internal-net

sip

sip_dynamic_ports

sip-tcp

Accept

Testing the Configuration

Test the configuration by making phone calls from an:

  • Internal phone to an internal phone.
  • Internal phone to an external phone.
  • External phone to an internal phone.

After making each call, see the resulting logs in SmartView Tracker.

To see the VoIP logs:

  1. From the SmartDashboard File menu, select Window > SmartView Tracker.

    SmartView Tracker opens.

  2. Under the Predefined queries, select the Firewall Blade > Voice over IP > Call Session filter.
  3. Examine the resulting logs.

Typical Call Session VoIP log

The Figure shows a typical Call Session VoIP log for a successful call from an internal phone to an external one.

  • See the Call Direction field in the Record Details window of the log. The call is from Source IP-phone 6666 to Destination IP-phone 4444.
  • The Source IP-phone and Destination IP-phone fields show the phone extension (the user).
  • The Source and Destination fields show the connection though the gateway.

    For example, if the internal phone makes a connection to the SIP Server:

    • The Source field shows the internal_phone_host node
    • The Destination field shows the sip_server_host node
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print