SIP Configuration

SIP enable: indicates status of the SIP ALG. Check or uncheck and click Apply to enable or disable the SIP ALG.

Application Screen

Use this section to configure the security device to screen for unknown SIP message types. Click Apply after making your selection.

Allow Unknown Message

Use this section to specify how unidentified SIP messages are handled by the security device. The default is to drop unknown messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this command can be useful for resolving inter operability issues with disparate vendor equipment. For example, the security device rejects SIP messages containing unsupported SIP “methods.” By permitting unknown SIP messages in this case, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

Note that this command applies only to received packets identified as supported VoIP protocol packets. If a packet cannot be identified, it is always dropped. If you allow unknown messges and a packet is identified as a supported protocol, the message is forwarded without processing.

• NAT specifies that unknown messages be allowed to pass if the session is in NAT mode.

• Route specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Timeout & Interval

A call can have one or more voice channels. Each voice channel has two sessions (or media streams), one for RTP and one for RTCP. When managing the sessions, the security device considers the sessions in each voice channel as one group. Timeout settings apply to a group, as opposed to each session.

To set SIP timeouts, enter values for the following and click Apply:

Media-Timeout: specifies how long, in seconds, pinholes and sessions opened for media are kept alive in the absence of activity. The default is 120 seconds.

Signal-Timeout: specifies how long, in seconds, a call can remain active in the absence of SIP signaling traffic. Signal-Timeout is reset each time a SIP signaling message is sent during a call. The default is 43200 seconds (12 hours).

T1-Interval: specifies the round trip time estimate, in milliseconds, of a transaction between endpoints. The default is 0.5 second (500 mseconds). Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

T4-Interval: specifies the maximum time a message remains in the network. The default is 5 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

C-Interval: specifies the INVITE transaction time at the proxy, in minutes, the default is 3 minutes. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

SIP Protect

Use this section to protect the security device from repeated SIP INVITE requests, and click Apply.

Timeout: specifies the time, in seconds, that repeat SIP INVITE requests be denied to a proxy server that denied the initial request, before it begins accepting them again. The default is 5 seconds.

IP Deny Protection Enable: enables the SIP Protect feature. You must also click Apply.

Destination IP specifies the IP address and netmask of the proxy server  Click Add to configure, Remove to delete, then click Apply.