Check Point Kernel Tables

For information on kernel tables for each protocol, see sk95369 > Section (9) Relevant Check Point kernel tables.

The Security Gateway stores SIP traffic data in these kernel table:

Kernel Table

Description

sip_registration

Holds one entry for each registered internal phone. An entry is entered when the registration is completed (200 OK).

Timeout: The value from the expires header field, or default.

To view a list of the online IP phones, run this command:
# fw tab -t sip_registration -f

sip_state

Holds one entry for each SIP call (call-id + user tags). An entry is entered with the first packet of the call. Each SIP call has 2 - 4 SIP connections. Calls entries remain until the call is terminated.

Timeout: 180 seconds, and it is refreshed as long as RTP is alive (for non-Int2Int calls).

Note that the entries are per Call-ID. B2BUA may set 2 entries per call.

To view information on current calls, run this command:
# fw tab -t sip_state -f

Output

Control connection (source, destination).

RTP connection (endpoint IP addresses).

Call state (established, ended, registration).

Media type (audio, video, audio/video, application).

Number of reinvites (number of participants in a conference call)

sip_cseq

Holds one entry per transaction (SIP request + SIP response). An entry is entered with the SIP request.

Timeout: 40 seconds. 20 seconds for retransmissions.

sip_services

Holds all the services that are defined as SIP in t0.he Rule Base.

sip_dynamic_port

Holds entries for SIP communication for non-5060 port traffic.

Timeout: The value from the expires header field or default.

fwx_sticky_port

Holds port allocation entries only when you use NAT and sticky mechanism. Use this to translate the port consistently. Call entries remain until call is terminated.

fwx_alloc

Holds port allocation entries only when you use NAT. Same entries that are displayed in the fwx_sticky_port kernel table. Call entries remain until call is terminated.

fwx_pending

Used to store pending NAT instructions.

earlynat_sport

Holds five entries for each SIP UDP connection (1 entry and 1 link for each direction of the connection and 1 link for Bi-Directional SIP).

The Security Gateway stores H.323 traffic data in these kernel table:

	Description
`h323_registration`	Holds one entry for each registered internal phone.
`fwx_sticky_port`	Holds port allocation entries only when using NAT and sticky mechanism. Use this to translate the port consistently. Call entries remain until call is terminated.

The Security Gateway stores MGCP traffic data in these kernel table:

	Description
`mgcp_registration`	Holds one entry for each registered internal phone.
`mgcp_services`	Holds all the services that are defined as SIP in the Rule Base.
`mgcp_dynamic_port`	Holds entries for MGCP communication for non-MGCP well-known ports - only if `mgcp_dynamic_port` service is used.
`mgcp_cmd`	Holds all the MGCP commands that take place. In MGCP SD you can add new MGCP commands. Add new entries to this table.
`mgcp_conn`	Holds MGCP control connections, such as `sip_state` kernel table. Has an entry for each MGCP call. Call entries remain until call is terminated.
`mgcp_tid`	Every command or transaction has its own TID (Transaction ID). Every new TIF is added to this kernel table. There is verification that every request has a matched response.