SIP-Specific services

These preconfigured SIP services are available for Security Gateways of version R80.10 or higher.

Services	Port	Protocol Type	Description
`sip`	UDP 5060	`SIP_UDP`	This service enforces signal routing. Use a VoIP Domain in the source or destination of a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., together with this service. When you use this service, registration messages are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. confirms the user exists in the SIP registration database. This can prevent DoS attacks.
`sip_tcp`	TCP 5060	`SIP_TCP_PROTO`	Used for SIP over TCP.
`sip_dynamic_ports`	Not set	Not set	This service allows a SIP connection to be opened on a dynamic port and not on the SIP well-known port.
`sip_tls_not_inspected`	TCP 5061	None	Allows SIP over TLS to pass without inspection. It requires that you open the media ports manually.
`sip_tls_authentication`	TCP 5061	`SIP_TCP_PROTO`	SIP over non-encrypted TLS and authenticated only. NAT is not supported for connections of this type.

These legacy SIP services are used for Security Gateways R75.40 and below, if not enforcing handover. Do not use these services for Security Gateways R80.10 or higher.

Services	Purpose
`sip_any`	Use sip_any for VoIP equipment that uses SIP UDP. Do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies., together with one of these services. Note - If a VoIP Domain is used with this service, the packet is dropped. Important - Do not use this service in the same rule with the sip service because they contradict each other.
`sip-tcp_any`	Use sip-tcp_any for VoIP equipment that uses SIP TCP. Use this service if you do not enforce signal routing. In that case, do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object together with the sip_any-tcp service. Note - If a VoIP Domain is used with this service, the packet is dropped. Important -Do not use this service in the same rule with the sip-tcp service because they contradict each other.

Services

Purpose

sip_any

Use sip_any for VoIP equipment that uses SIP UDP.

Do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies., together with one of these services.

Note - If a VoIP Domain is used with this service, the packet is dropped.

Important - Do not use this service in the same rule with the sip service because they contradict each other.

sip-tcp_any

Use sip-tcp_any for VoIP equipment that uses SIP TCP.

Use this service if you do not enforce signal routing. In that case, do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object together with the sip_any-tcp service.

Note - If a VoIP Domain is used with this service, the packet is dropped.

Important -Do not use this service in the same rule with the sip-tcp service because they contradict each other.

Legacy Solution for SIP TLS Support

If you are not able to use the sip_tls_authentication service, add these two rules instead:

A rule that uses the udp-high-ports service to open all high UDP ports for the entities sending dat

AND
A rule that uses the sip_tls_not_inspected service to open TCP port 5061 for the entities sending signaling

This can happen if connections are encrypted by TLS, or NAT must be done on the connections.

Important - SIP signaling and data is not inspected if you open all high UDP ports. The connection is not-secured.

To configure support for SIP TLS in environments where a secure solution is not available:

Configure Network Objects in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. for the SIP phones.
Configure a Network Object for the SIP proxy.
Configure a rule that opens all high UDP ports and TCP port 5061.

The rule below shows that the phones send data directly to each other, and not through the proxy.

No	Name	Source	Destination	VPN	Services & Applications	Action	Track
1	Transmit through proxy	SIP Proxy SIP Phones	SIP Phones SIP Proxy	* Any	TCP: sip_tls_not_inspected	Accept	Log
2	Transmit directly	SIP Phones	SIP Phones	* Any	UDP: udp-high-ports	Accept	Log

Name

Source

Destination

VPN

Services & Applications

Action

Track

Transmit through proxy

SIP Proxy

SIP Phones

SIP Proxy

* Any

TCP: sip_tls_not_inspected

Log

Transmit directly

SIP Phones

* Any

UDP: udp-high-ports

Log

Supported SIP Topologies and NAT Support

Below is a list of supported SIP topologies. The table also lists NAT that you can configure with each topology. it with. SIP can use a Proxy (or Registrar). If there is more than one proxy device, signaling passes through one or more of them. After the call is set up, the media can pass from endpoint to endpoint directly, or through one or more of the proxies.

Deployment	Supports No-NAT	Supports NAT for Internal Phones - Hide/Static NAT	Supports NAT for Proxy - Static NAT	Description
SIP Endpoint to Endpoint (see Sample SIP Rules for an Endpoint-to-Endpoint Network)	Yes	Static NAT only	Not applicable	Phones communicate directly without a proxy. Static NAT can be configured for the phones on the internal side of the Security Gateway.
SIP Proxy in External Network (see Sample SIP Rules for a Proxy in an External Network)	Yes	Yes	Not applicable	IP phones use the services of a proxy on the external side of the Security Gateway. Enables the use of a proxy that is maintained by another organization. Configure Hide NAT, Static NAT, or no-NAT for the phones on the internal side of the Security Gateway.
SIP Proxy to SIP Proxy (see Sample SIP Rules for a Proxy-to-Proxy Topology)	Yes	Yes	Yes	Each proxy controls a separate endpoint domain. Configure Static NAT for the internal proxy. Configure Hide NAT or Static NAT for the internal phones.
SIP Proxy in DMZ (see Sample SIP Rules for a Proxy in DMZ Topology)	Yes	Yes	Yes	The same proxy controls both endpoint domains. This makes it possible to provide proxy services to other organizations. Static NAT or no-NAT can be configured for the proxy. Hide NAT, Static NAT, or no NAT can be configured for the phones on the internal side of the Security Gateway.

For complete information on NAT configuration, see the R82 Security Management Administration Guide.

Below are some exceptions when you use SIP with NAT:

NAT is not supported on IP addresses behind an external Check Point Security Gateway interface.
Calls cannot be made from an external source to two endpoints on the trusted side of a Security Gateway if only one of the endpoints is NAT enabled.
You can use Automatic NAT for other deployments.