7 Replies Latest reply on Jun 22, 2016 4:29 AM by gueutzilla

    NGFW 321 - How to disable SIP ALG???

    gueutzilla

      Hello,

       

      We have some problems witch Cisco SIP phones connected to an SIP external gateway.

       

      People on site ask me to disable the SIP ALG but I cannot find documentation about that.

       

      Did you know how can I disable the SIP alg in McAfee NGFW?

       

      Or maybe how to configured the VoIP phones?

       

       

      Thanks for your help.

       

      Best regards,

      Gwen

        • 1. Re: NGFW 321 - How to disable SIP ALG???
          thyvarin

          Hello,

           

          I would assume that with SIP ALG you mean SIP protocol agent (Stonesoft Next Generation Firewall Online Help) handling where protocol agent "attaches" to SIP connection to read the SIP control connection content so that related media connections can be allowed without separate rule. Is this correct?

           

          If yes, you'll need to create custom SIP service that does not include the SIP PA element, and then use that in the rules that match the SIP traffic. Of course then you'll also need to add rules that allow the media connections between SIP devices.

           

          BR,

          Tero

          • 2. Re: NGFW 321 - How to disable SIP ALG???
            gueutzilla

            Yes your totaly right!!!!

             

            It works!!!!!

             

            Thanks a lot you made my day

            • 3. Re: NGFW 321 - How to disable SIP ALG???
              gueutzilla

              Hello,

               

              The problem is still present.

               

              The phone is connect on it's SIP gateway but when user take the call, there is no sound!!!

               

              Any idea? I have open all the flows to the SIP gateway.

               

              Best regards,

              Gwen

              • 4. Re: NGFW 321 - How to disable SIP ALG???
                thyvarin

                With VoIP systems using SIP, there's usually also connections opened in the opposite direction, i.e. from SIP GW to phone so have you allowed these (assuming your SIP system opens connections also in this direction)? Have you checked what logs show? Are any connections between phone and SIP GW getting discarded/dropped?

                 

                One thing that can make things trickier with SIP is NAT. Since you wanted to disable SIP ALG/PA, I'd assume NAT is not done between phone and SIP GW, but if it is, then keep in mind that when SIP PA is not used, NGFW will not read the SIP content and thus it will not do any address and port translations in the SIP data. But usually the SIP system itself has some kind of NAT aware mode where system is configured to work via NAT IP. Also if NAT is done, one thing that easily breaks that SIP is doing dynamic source NAT (port translation) in one direction (from internal to external) and doing static destination NAT (no port translation) in other direction. So generally if NAT is used, you should make sure that connections in both directions between phone and SIP GW are statically NATed using same NAT (virtual) IP.

                 

                BR,

                Tero

                • 5. Re: NGFW 321 - How to disable SIP ALG???
                  gueutzilla

                  Hi Thyvarin,

                   

                  Thanks for your repply.

                   

                  We curently used dynamic nat with trafic handler and this VoIP make me crazy.

                   

                  So you can find in our VoIP rules and NAT.

                  VoIP_Rules.jpg

                  VoIP_NAT.jpg

                  Did you think you can help me to troubleshoot my configuration.

                   

                  Thanks a lot.

                   

                  Best,

                  Gwen

                  • 6. Re: NGFW 321 - How to disable SIP ALG???
                    thyvarin

                    Hi,

                     

                    Only the person who knows how this SIP system is configured to work and what ports need to be opened between phone and SIP Gateway (and in which direction) can tell if the rules shown are enough and will allow all the required communication (and if NAT is done as intended). Usually the SIP control connection uses TCP or UDP port 5060, and same 5060 port is used as source and destination port. In addition to this connections are opened in both directions (i.e. from phone to SIP GW, and from SIP GW to phone), and then doing dynamic source NAT in one direction and static destination NAT in other direction, will cause problems when NAT rules define that port translation is done for connections from internal to external but not for connections opened from external to internal. Of course this is just what I've seen generally and each SIP system is different, and I'm sure those systems can also be configured in different ways in regards to NAT done between phones and SIP GW.

                     

                    NGFW has SIP Protocol Agent that is intended for situations where NGFW does NAT for SIP traffic:

                    Stonesoft Next Generation Firewall Online Help

                    McAfee KnowledgeBase - How to configure Next Generation Firewall security policies with the SIP Protocol Agent

                     

                    When Protocol Agent (PA) is used, it attaches to SIP control connection to read the SIP content so it can do the same address translations in the SIP payload as it does to outer headers, and PA can also allow related connections automatically based on what is negotiated between the phone and SIP GW. If SIP PA is used, the SIP system should be configured in mode where it is not NAT "aware", i.e. SIP system doesn't know that traffic goes through NAT device. If SIP PA is not used (as is case in your screenshot of access rule), then SIP system should be configured in NAT aware mode. But again only the person who knows how this particular SIP system works, what ports need to be opened, and how it is configured to function in regards to NAT, can tell how firewall rules need to be configured and what needs to be allowed on those rules.

                     

                    If you need help troubleshooting this, you should open Service Request for this issue to Forcepoint support via McAfee Service Portal but you need to be able provide detailed description on how your SIP system works and why specific rules are configured as they are.

                     

                    BR,

                    Tero

                    • 7. Re: NGFW 321 - How to disable SIP ALG???
                      gueutzilla

                      Hello,

                       

                      Thanks a lot for all these explanations.

                       

                      So after a lot of troobleshooting I think we have finally find the correct configuration.

                       

                      As you say, the configuration as been modified according to SIP gateway parameters and sometimes there is no audio but globally it works.

                       

                      Best regards,

                      Gwen