Enabling Dynamic Opening of Ports for SIP Signaling

The sip_dynamic_ports service enables the dynamic opening of ports in the gateway for SIP signaling.

The following ports are defined by default:

5060 for SIP over UDP and TCP services
5061 for SIP over TLS services

SIP services can also be defined for non-default ports.

The service is used to enable the dynamic opening of ports that are not defined by one of the SIP services (default and non-default). You can establish SIP connections by opening these ports . The Check Point gateway opens and closes ports based on the inspection of SIP signaling messages.

Add the sip_dynamic_ports service to Services & Applications when:

The phones register themselves at a SIP server by associating their phone number with a port other than 5060 or 5061.
For example:

A registration request for phone number 2001 with IP address 172.16.8.3 port 3000. An example of this Contact header field is:

Contact: <sip:2001@172.16.8.3:3000;rinstance=64d25786c64e7975>;expires=3600
The rport parameter is used in the Via header field.
For example:

Via: SIP/2.0/TCP 172.16.8.3:5060;branch=z9hG4bK-1193792f8039818cd82e34eec4112ae8;rport=4039

See RFC 3581 - An Extension to the Session Initiation Protocol (SIP) for Symmetric Response Routing.

Note - Use the sip_dynamic_ports service in a rule together with at least one other SIP service (over TCP or UDP).

Example Rule With the sip_dynamic_ports Service

Example of SIP UDP rule:

Source	Destination	Services & Applications	Action
SIP_phone SIP_server	SIP_server SIP_phone	udp:sip sip_dynamic_port	Accept

Source

Destination

Services & Applications

Action

SIP_phone

SIP_server

SIP_phone

udp:sip

sip_dynamic_port

SIP_phone is the IP address of the SIP phone.
SIP_server is the IP address of the SIP server.