Inspecting VoIP Traffic

Introduction

Voice over Internet Protocol (VoIP) is a technology to deliver voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. There are two primary delivery methods: private or on-premises solutions, or externally hosted solutions delivered by third-party providers.

Inspection of VoIP traffic is supported on all Quantum Spark appliances.

To configure VoIP inspection in the WebUI:

  1. Go to Access Policy > VoIP.

  2. Click On.

    If VoIP is already configured, you can edit the current configuration.

  3. For the next sections, click the downward arrow to expand.

  4. Click the Off-premise SIP Provider Service heading to expand the section.

    Configure the applicable settings:

    1. Click the checkbox for Use SIP Provider – The available network objects are shown in a table with a GroupClosed A collection of objects, such as user accounts, with shared attributes. name. You can select a single IP or a range of servers with external IP address.

    2. To add a new IP address, click New. To remove an IP address, select it and click Remove.

    3. Select or clear the option Log traffic from this provider.

    4. Select or clear the option Disable SIP traffic inspection.

      When you select this option, you allow the application level inspection and NAT for the SIP traffic.

      When you clear this option:

      • You must configure the RTP ports manually.

      • The timeout for UDP SIP connections (the "SIP_UDP" service) is the same as the default timeout for TCP SIP connections (the "SIP_TCP" service).

        Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

    5. Select to Enable bidirectional traffic when the SIP provider is defined. This allows bidirectional traffic with the SIP service provider.

      If the service does not accept replies, bidirectional traffic is not established. A popup window opens and asks if you want to continue.

  5. Click the On-premise Devices heading to expand the section.

    The network objects appear in a table, with a Group name.

    Click New to add an item.

    Select an item and click Remove to delete it.

    Configure the applicable settings.

    • Use on-premise phones without SIP server (PBX).

      When no SIP Server Provider is defined, you do not need to define IP addresses for on-premises phones.

    • Allow access to PBX management portal from the Internet.

  6. Click the Off-premise phones to expand the section.

    Note - The relevant topology shows automatically for each selection.

    Select one or more of these options:

    • Phones are connected via VPN Site to Site.

    • Phones are connected by VPN Remote Access.

    • Phones are configured with public IP.

      The network objects appear in a table, with a Group name.

      Click New to add an item.

      Select an item and click Remove to delete it.

  7. Click the SIP Service heading to expand the section.

    Select the SIP UDP/TCP ports, which by default are 5060.

    All phones should be configured to use the configured ports.

    Click New to add a new SIP service.

    Click Remove to delete a service.

After you apply these settings, rules are automatically created in the Firewall Access Policy page for Outgoing access to the Internet and Incoming, Internal and VPN traffic.

Notes:

  • For an on-premises configuration without PBX, the destination should be the IP_Phones object.

  • If you allow access to the PBX portal, another rule is created:

    Source

    Destination

    Application / Service

    Action

    Log

    Comment

    Any

    PBX-Server

    HTTP/S

    Accept

    None

    Generated rule: SIP VOIP

Forwarding rules are automatically created in the Access Policy > NAT Rules page.

Note - For external phones with remote access, the Office Object is automatically created in the Network Objects section and the " set back connection" setting is set to "true".

Follow these configuration procedures to allow SIP traffic to pass through the gateway when:

  • The SIP server is located on external networks. For more advanced topologies, refer to sk113573.

  • The gateway's NAT configuration is set to its default settings (with internal networks hidden behind its external IP address).

Configuration

To allow the SIP server to connect to internal phones from the Internet:

  1. Go to Access Policy > Policy.

  2. Add a rule to the Incoming, Internal and VPN traffic Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. that allows SIP traffic:

    Source

    Destination

    Application / Service

    Action

    Log

    A network object that holds the IP address of the SIP server

    A network object that holds the IP addresses of the phones behind the gateway

    SIP

    Accept

    Select the applicable option

    For more information, see Working with the Firewall Access Policy.