Important Information About Creating SIP Security Rules

• Make sure to check Keep all connections if you do not want in-progress calls to drop every time you Install Policy.
  1. From SmartConsole, the Gateways & Servers tab, double-click your gateway.

     The Check Point Security Gateway window shows.

  2. From General Properties > Other > Connection Persistence > Keep all connections > OK.

     Note - Rematch connections is selected by default.

• Do not configure special Network Objects to allow SIP signaling, use regular Network Objects. The Security Gateway dynamically opens ports for data connections (RTP/RTCP and others). Security Gateways support up to four different media channels per SIP SDP message.
• When you use Hide NAT for SIP over UDP and Hide NAT for SIP over TCP, include the hidden IP address in the Destination of the SIP rule. When you include the hidden IP address, this allows the initiation of the TCP handshake from the external network to the hidden IP.
• For NAT on SIP entities, we strongly recommended that you enable the Inspection Settings Strict SIP Protocol Flow Enforcement, see Configuring Inspection Settings.
• For Automatic configuration for Static NAT, you must add a NATed object to the Destination column in the Rule Base.

Important - You must configure anti-spoofing on the Check Point gateway interfaces for VoIP.

Note – The old policy rules are still intact for calls already in-progress and they will not be dropped.

Sample SIP Rules for an Endpoint-to-Endpoint Network

Sample VoIP Access Control:

Source	Destination	Services & Applications	Action	Comments
Net_A Net_B	Net_B Net_A	sip_any OR sip_any-tcp OR sip-tcp	Accept	SIP bidirectional calls

To configure bidirectional call rules for this peer-to-peer topology:

1. Configure an Access Control rule that allows IP phones in Net_A to call Net_B and the reverse.
2. Choose the applicable SIP service
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
5. Install Policy.

Sample SIP Rules for a Proxy in an External Network

This illustration shows a SIP topology with a proxy in an external network.

Sample VoIP Access Control rules for this topology:

Source	Destination	Services & Applications	Action	Comments
SIP_Proxy Net_A	Net_A SIP_Proxy	UDP:sip	Accept	SIP over UDP Bidirectional Calls

OR

Source	Destination	Services and Applications	Action	Comments
SIP_Proxy Net_A	Net_A SIP_Proxy	SIP over TCP service	Accept	SIP over TCP Bidirectional Calls

To allow bidirectional calls between SIP phones in internal and external networks:

1. Configure Network Objects (nodes or networks) for IP phones that are:
   • Managed by the SIP Proxy or Registrar
   • Permitted to make calls, and those calls inspected by the gateway. In the image, these are Net_A.
2. Configure the Network Object for the SIP Proxy (SIP_Proxy).
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
5. Install Policy.

Sample SIP Rules for a Proxy-to-Proxy Topology

The image illustrates a Proxy-to-Proxy topology with Net_A and Net_B on opposite sides of the gateway.

Sample VoIP Access Control rules for this topology:

Source	Destination	Services & Applications	Action	Comments
Proxy_A Proxy_B	Proxy_B Proxy_A	UDP:sip	Accept	SIP over UDP Bidirectional calls

OR

Source	Destination	Services & Applications	Action	Comment
Proxy_A Proxy_B	Proxy_B Proxy_A	SIP over TCP	Accept	SIP over TCP Bidirectional calls

To allow bidirectional calls between phones:

1. Configure the Network Objects (nodes or networks) for the phones permitted to make calls, and the calls subject to gateway inspection.

   In the image above, Net_A represents these phones.

2. Configure the Network Object for the proxy objects (Proxy_A and Proxy_B).
3. Configure the VoIP rule.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
5. Install Policy.

Sample SIP Rules for a Proxy in DMZ Topology

The image illustrates a SIP-based VoIP topology where a proxy is installed in the DMZ.

Sample VoIP Access Control rules for this topology:

Source	Destination	Services & Applications	Action	Comments
Proxy_DMZ Net_A Net_B	Net_A Net_B Proxy_DMZ	UDP:sip	Accept	SIP over UDP Bidirectional Calls

OR

Source	Destination	Services & Applications	Action	Comments
Proxy_DMZ Net_A Net_B	Net_A Net_B Proxy_DMZ	SIP over TCP Service	Accept	SIP over TCP Bidirectional Calls

Allow bidirectional calls between phones in internal and external networks (Net_A and Net_B) and Configure NAT for the internal phones and the proxy in the DMZ (Proxy_DMZ).

To configure bidirectional calls between phones in the internal and external networks:

1. Configure Network Objects (nodes or networks) for phones that are permitted to make calls and for calls inspected by the gateway. These are Net_A and Net_B.
2. Configure the Network Object for the proxy (Proxy_DMZ).
3. Configure the VoIP rules.
4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
5. Install Policy.