Print Download PDF Send Feedback

Previous

Next

Important Information About Creating SIP Security Rules

Important - You must configure anti-spoofing on the Check Point gateway interfaces for VoIP.

Note – The old policy rules are still intact for calls already in-progress and they will not be dropped.

Sample SIP Rules for an Endpoint-to-Endpoint Network

Sample VoIP Access Control:

Source

Destination

Services & Applications

Action

Comments

Net_A

Net_B

Net_B

Net_A

sip_any

OR

sip_any-tcp

OR

sip-tcp

Accept

SIP bidirectional calls

To configure bidirectional call rules for this peer-to-peer topology:

  1. Configure an Access Control rule that allows IP phones in Net_A to call Net_B and the reverse.
  2. Choose the applicable SIP service
  3. Configure the VoIP rule.
  4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
  5. Install Policy.

Sample SIP Rules for a Proxy in an External Network

This illustration shows a SIP topology with a proxy in an external network.

Sample VoIP Access Control rules for this topology:

Source

Destination

Services & Applications

Action

Comments

SIP_Proxy
Net_A

Net_A
SIP_Proxy

UDP:sip

Accept

SIP over UDP
Bidirectional Calls

OR

Source

Destination

Services and Applications

Action

Comments

SIP_Proxy
Net_A

Net_A
SIP_Proxy

SIP over TCP
service

Accept

SIP over TCP
Bidirectional Calls

To allow bidirectional calls between SIP phones in internal and external networks:

  1. Configure Network Objects (nodes or networks) for IP phones that are:
    • Managed by the SIP Proxy or Registrar
    • Permitted to make calls, and those calls inspected by the gateway. In the image, these are Net_A.
  2. Configure the Network Object for the SIP Proxy (SIP_Proxy).
  3. Configure the VoIP rule.
  4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
  5. Install Policy.

Sample SIP Rules for a Proxy-to-Proxy Topology

The image illustrates a Proxy-to-Proxy topology with Net_A and Net_B on opposite sides of the gateway.

Sample VoIP Access Control rules for this topology:

Source

Destination

Services & Applications

Action

Comments

Proxy_A

Proxy_B

Proxy_B

Proxy_A

UDP:sip

Accept

SIP over UDP
Bidirectional calls

OR

Source

Destination

Services & Applications

Action

Comment

Proxy_A

Proxy_B

Proxy_B

Proxy_A

SIP over TCP

Accept

SIP over TCP
Bidirectional calls

To allow bidirectional calls between phones:

  1. Configure the Network Objects (nodes or networks) for the phones permitted to make calls, and the calls subject to gateway inspection.

    In the image above, Net_A represents these phones.

  2. Configure the Network Object for the proxy objects (Proxy_A and Proxy_B).
  3. Configure the VoIP rule.
  4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
  5. Install Policy.

Sample SIP Rules for a Proxy in DMZ Topology

The image illustrates a SIP-based VoIP topology where a proxy is installed in the DMZ.

Sample VoIP Access Control rules for this topology:

Source

Destination

Services & Applications

Action

Comments

Proxy_DMZ

Net_A

Net_B

Net_A

Net_B

Proxy_DMZ

UDP:sip

Accept

SIP over UDP
Bidirectional Calls

OR

Source

Destination

Services & Applications

Action

Comments

Proxy_DMZ

Net_A

Net_B

Net_A

Net_B

Proxy_DMZ

SIP over TCP
Service

Accept

SIP over TCP
Bidirectional Calls

Allow bidirectional calls between phones in internal and external networks (Net_A and Net_B) and Configure NAT for the internal phones and the proxy in the DMZ (Proxy_DMZ).

To configure bidirectional calls between phones in the internal and external networks:

  1. Configure Network Objects (nodes or networks) for phones that are permitted to make calls and for calls inspected by the gateway. These are Net_A and Net_B.
  2. Configure the Network Object for the proxy (Proxy_DMZ).
  3. Configure the VoIP rules.
  4. Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
  5. Install Policy.