H.323 Security Rules

Best practice - Configure anti-spoofing on the Check Point gateway interfaces.

To allow H.323 traffic, create rules that let H.323 control signals through the gateway.
It is not necessary to define a rule that specifies which port to open and which endpoint can talk. The gateway automatically gets this information from the signaling. For a given H.323 signaling rule (with RAS and/or H.323 services), the gateway automatically opens ports for the H.245 connections and RTP/RTCP media stream connections.
Dynamic ports will only be opened if the port is not used by a different service. This prevents well-known ports from being used illegally.
For example, if the Connect message identifies port 80 as the H.245 port, the port will not be opened.
To allow H.323 traffic in the Security Rule Base, use regular network objects. It is not necessary to define special network objects.
When you use Hide NAT for H.323, include the hidden IP address in the destination of the H.323 rule. When you include the hidden IP address, this allows the initiation of the TCP handshake from the external network to the hidden IP.
Make sure to check Keep all connections or the firewall drops your connection every time you Install Policy.
1. Double-click your gateway.
  The Check Point Security Gateway window shows.
2. From General Properties > Other > Connection Persistence > Keep all connections > OK.
  Note - Rematch connections is selected by default.

Note – The old policy rules are still intact for calls already in-progress and they will not be dropped.

H.323 Specific Services

These predefined H.323 services are available:

Service	Purpose
TCP:H323	Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120.
UDP:H323_ras	Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed). Also dynamically opens and RTP/RTCP and T.120 ports.
UDP:H323_ras_only	Allows only RAS ports. Cannot be used to make calls. If this service is used, no Application Intelligence Checks (payload inspection or modification as NAT translation) are made. Do not use if you want to perform NAT on RAS messages. Do not use in the same rule as the `H323_ras` service.
TCP:H323_any	Relevant only for versions prior to R75.40VS: Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a network object. Only use `H323_any` if you do not know the VoIP topology, and are not enforcing media admission control (formerly known as Handover) using a VoIP domain. Do not use in the same rule as the `H.323` service.

Note - Make sure to use the H.323 and H.323_ras services in H.323 Security Gateways rules.

Defining H.323 Rules for an Endpoint-to-Endpoint Topology

An endpoint-to-endpoint topology is shown in the image, with Net_A and Net_B on opposite sides of the gateway. This procedure explains:

How to allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
How to define NAT for the internal phones
No incoming calls can be made when Hide NAT is configured for the internal phones.

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action
Net_A Net_B	Net_B Net_A	H323	Accept

Source

Destination

Services & Applications

Action

Net_A

Net_B

Net_A

H323

To define an H.323 rule for endpoint-to-endpoint topology:

Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select the network object and double-click.
- The Network window opens.
- In the NAT tab, select Add Automatic Address Translation Rules, and then the Translation method, Hide or Static.
- Install the security policy.
  If you select Hide NAT:
  - Create a node object with the Hide NAT IP address
  - Select the Security Policies tab.
  - Add the service to the Services & Applications column.
  - Add the node object to the Destination of the rule.

Defining H.323 Rules for a Gatekeeper-to-Gatekeeper Topology

A Gatekeeper-to-Gatekeeper topology is shown in the image, with Net_A and Net_B on opposite sides of the gateway. This procedure shows you how to:

Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones and the internal Gatekeeper (GK_A)

VoIP rule for this scenario:

Source	Destination	Service	Action	Comment
GK_A GK_B	GK_B GK_A	H323 H323_ras	Accept	Bidirectional calls

Source

Destination

Service

Action

Comment

GK_A

GK_B

GK_A

H323

H323_ras

Bidirectional calls

To define an H.323 rule for Gatekeeper-to-Gatekeeper topology:

Define the network objects (nodes or networks) for phones that:
- Use the Gatekeeper for registration
- Are allowed to make calls and their calls tracked by the gateway.
In the image, these are Net_A and Net_B.
Define the Network Object for the Gatekeeper objects (GK_A and GK_B)
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
Select NAT > Advanced.
Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
Select the Translation method, Hide or Static.
Make the time-out of the H323_ras service greater or equal to the Gatekeeper registration time-out.
- In the Manage & Settings tab, go to Blades > General, select Inspection Settings.
  The Inspection Settings window opens.
- From the General tab, in the search window, enter H.323.
- The H.323 - General Settings window shows. Double-click the service. A window opens.
- Configure the Timeouts
Click OK.
Configure the time-outs in the Advanced Properties window of the Service Object.
Install policy.

Defining H.323 Rules for a Gateway-to-Gateway Topology

The illustration shows a Gateway-to-Gateway topology, with Net_A and Net_B on opposite sides of the gateway. This procedure shows you how to:

Allow bidirectional calls between phones in the internal network (Net_A), and phones in an external network (Net_B)
Define NAT for the internal phones and the internal gateway (GW_A).

VoIP rule for this scenario:

Source	Destination	Service	Action	Comment
GW_A GW_B	GW_B GW_A	H323	Accept	Bidirectional calls

Source

Destination

Service

Action

Comment

GW_A

GW_B

GW_A

H323

Bidirectional calls

To define an H.323 rule for gateway-to-gateway topology:

Define the network objects (nodes or networks) for phones that are allowed to make calls and their calls tracked by the gateway.
For this example, these are Net_A and Net_B.
Define the network object for the gateway objects (GW_A and GW_B)
Configure the VoIP rules.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
Select NAT > Advanced.
Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
Select the Translation method, Hide or Static.
To define Static NAT for the Gatekeeper/Gateway in the internal network, do step 4 again for the Gatekeeper/Gateway object (GK_A).
Install the Security Policy.

Defining H.323 Rules for a Gatekeeper in the External Network

This figure shows an H.323 topology with a Gatekeeper in the Internet, with Net_A and Net_B on opposite sides of the gateway. This procedure explains how to:

Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comment
Net_A Net_B GK_B	GK_B Net_A	H323_ras H323	Accept	Bidirectional calls.

Source

Destination

Services & Applications

Action

Comment

Net_A

Net_B

GK_B

Net_A

H323_ras
H323

Bidirectional calls.

To define an H.323 rule for a Gatekeeper in the external network:

Define the network objects (nodes or networks) for the phones that:
- Use the Gatekeeper for registration
- Are allowed to make calls and their calls tracked by the gateway
In the image, these are Net_A and Net_B.
Define the network object for the Gatekeeper (GK_B)
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select NAT > Advanced.
- Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
- Select the Translation method, Hide or Static.
  If you select Hide NAT:
  - Create a node object with the Hide NAT IP address
  - Select the Security Policies tab.
  - Add the service to the Services & Applications column.
  - Add the node object to the Destination of the rule.
Make the time-out of the H323_ras service greater or equal to the Gatekeeper registration time-out.
- In the Manage & Settings tab, go to Blades > General, select Inspection Settings.
  The Inspection Settings window opens.
- From the General tab, in the search window, enter H.323.
- The H.323 - General Settings window shows. Double-click the service. A window opens.
- Configure the Timeouts
Click OK.
Install the Security Policy.

Defining H.323 Rules for a Gateway in the External Network

The image shows an H.323 topology with a Gateway in the Internet, with Net_A and Net_B on opposite sides of the gateway. This procedure shows you how to:

Allow bidirectional calls between phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones

VoIP rule for this scenario:

Source	Destination	Service	Action	Comment
Net_A Net_B GW_B	GW_B Net_A	H323	Accept	Bidirectional calls

Source

Destination

Service

Action

Comment

Net_A

Net_B

GW_B

Net_A

H323

Bidirectional calls

To define an H.323 rule for a gateway in the external network:

Define network objects (nodes or networks) for phones that are allowed to make calls, and their calls tracked by the gateway.
For the example, these are Net_A and Net_B.
Define the network object for the Gateway (GW_B)
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select NAT > Advanced.
- Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
- Select the Translation method, Hide or Static.
  If you select Hide NAT:
  - Create a node object with the Hide NAT IP address
  - Select the Security Policies tab.
  - Add the service to the Services & Applications column.
  - Add the node object to the Destination of the rule.
  If you use Hide NAT, add a Node object (with the Hide NAT IP address) to the Destination of the rules defined.
Install policy.

Defining H.323 Rules for a Gatekeeper in DMZ Topology

The image shows an H.323-based VoIP topology where a Gatekeeper is installed in the DMZ. This procedure explains how to:

Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones and the Gatekeeper in the DMZ (GK_DMZ)

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
GK_DMZ Net_A Net_B	Net_A Net_B GK_DMZ	H323 H323_ras	Accept	Bidirectional calls.

Source

Destination

Services & Applications

Action

Comments

GK_DMZ

Net_A

Net_B

Net_A

Net_B

GK_DMZ

H323

H323_ras

Bidirectional calls.

Static NAT rules for the Gatekeeper in the DMZ:

Original			Translated			Comments

Source	Destination	Services & Applications	Source	Destination	Services & Applications	Comments
GK_DMZ	Net_B	*Any	GK_DMZ: Static	=	=	Outgoing calls
Net_B	GK_DMZ_NATed	*Any	=	GK_DMZ: Static	=	Incoming calls

To define an H.323 rule for a Gatekeeper in the DMZ:

Define the network objects (nodes or networks) for the phones that:
- Use the Gatekeeper for registration
- Are allowed to make calls, and their calls tracked by the gateway
In the image, these are Net_A and Net_B.
Define the network object for the Gatekeeper (GK_DMZ).
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select NAT > Advanced.
- Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
- Select the Translation method, Hide or Static.
  If you select Hide NAT:
  - Create a node object with the Hide NAT IP address
  - Select the Security Policies tab.
  - Add the service to the Services & Applications column.
  - Add the node object to the Destination of the rule.
Define Static NAT for the Gatekeeper in the DMZ:
1. Create a Node object for the Static address of the Gatekeeper (for example: GK_DMZ_NATed).
2. Define the manual Static NAT rules.
3. Configure proxy-ARPs.
  You must associate the translated IP address with the MAC address of the gateway interface that is on the same network as the translated addresses. Use the arp command in UNIX or the local.arp file in Windows.
  
  The command fw ctl arp displays the ARP proxy table on gateways that run on Windows. On UNIX, use the arp -a command.
Make the time-out of the H323_ras service greater or equal to the Gatekeeper registration time-out.
- In the Manage & Settings tab, go to Blades > General, select Inspection Settings.
  The Inspection Settings window opens.
- From the General tab, in the search window, enter H.323.
- The H.323 - General Settings window shows. Double-click the service. A window opens.
- Configure the Timeouts
Click OK.
Install the Security Policy.

Defining H.323 Rules for a Gateway in DMZ Topology

The image shows an H.323-based VoIP topology where a Gateway is installed in the DMZ. This procedure shows you how to:

Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones and the Gateway in the DMZ (GW_DMZ)

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
GW_DMZ Net_A Net_B	Net_A Net_B GW_DMZ	H323	Accept	Bidirectional calls

Source

Destination

Services & Applications

Action

Comments

GW_DMZ

Net_A

Net_B

Net_A

Net_B

GW_DMZ

H323

Bidirectional calls

Static NAT rule for the Security Gateway in the DMZ:

Original				Translated		Comment

Source	Destination	Services & Applications	Source	Destination	Services & Applications	Comment
GW_DMZ	Net_B	*Any	GW_DMZ: Static	=	=	Outgoing calls
Net_B	GW_DMZ_NATed	*Any	=	GW_DMZ: Static	=	Incoming calls

To define an H.323 rule for a gateway in the DMZ:

Define network objects (nodes or networks) for phones that are allowed to make calls and their calls tracked by the gateway.
In the image, these are Net_A and Net_B.
Define the network object for the Gateway (GW_DMZ).
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select NAT > Advanced.
- Check the box Add automatic address translation rules to hide this Gateway behind another Gateway.
- Select the Translation method, Hide or Static.
  If you select Hide NAT:
  - Create a node object with the Hide NAT IP address
  - Select the Security Policies tab.
  - Add the service to the Services & Applications column.
  - Add the node object to the Destination of the rule.
Define Static NAT for the Gatekeeper in the DMZ:
1. Create a Node object for the Static address of the Gatekeeper (for example: GK_DMZ_NATed).
2. Define the manual Static NAT rules:
  - Configure proxy-ARPs.
  - You must associate the translated IP address with the MAC address of the gateway interface that is on the same network as the translated addresses. Use the arp command in UNIX or the local.arp file in Windows.
  The command fw ctl arp displays the ARP proxy table on gateways that run on Windows. On UNIX, use the arp -a command.
Install the Security Policy.