Opening Dynamic Ports for SIP Signaling

sip_dynamic_ports enables ports to open dynamically for SIP signaling. Therefore, if there is a port that is not Configured by one of the SIP services, it can still establish SIP connections. The Check Point Security Gateway opens and closes ports based on the inspection of SIP signaling messages.

Add the sip_dynamic_ports service to the Services & Applications column of the Rule Base when:

You use a non-default port.
The phones register themselves as a SIP server by associating their phone number with an unknown port.
For example:

A registration request for phone number 2001 with IP address 172.16.8.3 port 3000. An example of this contact header field is:

Contact: <sip:2001@172.16.8.3:3000;rinstance=64d25786c64e7975>;expires=3600

The rport parameter is found in the Via header field when the port is relocated.

For example:

Via: SIP/2.0/TCP 172.16.8.3:5060;branch=z9hG4bK-1193792f8039818cd82e34eec4112ae8;rport=4039

See RFC 3581 - An Extension to the Session Initiation Protocol (SIP) for Symmetric Response Routing.

Note - Use the sip_dynamic_ports service with at least one other SIP service in a rule.

Sample Rule With the sip_dynamic_ports Service

Example of SIP UDP rule:

Source	Destination	Services & Applications	Action
SIP_phone SIP_server	SIP_server SIP_phone	udp:sip sip_dynamic_ports	Accept

Source

Destination

Services & Applications

Action

SIP_phone

SIP_server

SIP_phone

udp:sip

sip_dynamic_ports

SIP_phone is the IP address of the SIP phone.
SIP_server is the IP address of the SIP server.