About the SIP-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your Firebox. An ALG is created in the same way as a proxy policy and offers similar configuration options. These ALGs have been created to work in a NAT environment to maintain security for privately-addressed conferencing equipment behind the Firebox.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALG you need to add, consult the documentation for your VoIP devices or applications.
There is no default policy for SIP-ALG traffic. Before you configure SIP-ALG, you must create a proxy policy to handle the traffic. For instructions to add the SIP-ALG to your Firebox configuration, go to Add a Proxy Policy to Your Configuration.
For supported deployment configurations, go to Example VoIP Network Diagrams.
VoIP Components
It is important to understand that you usually implement VoIP with either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device and connects to the other directly without the use of a proxy server to route their calls.
Host-based connections
Connections managed by a call management system (PBX). The call management system can be self-hosted, or hosted by a third-party service provider.
In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy. Together, these components manage connections hosted by the call management system. The WatchGuard SIP-ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIP-ALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a call management system that is external to the Firebox.
It can be difficult to coordinate the many components of a VoIP installation. We recommend you make sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you to troubleshoot any problems.
Instant Messaging Support
The SIP-ALG supports page-based instant messaging (IM) as part of the default SIP protocol. You do not have to complete any additional configuration steps to use IM with the SIP-ALG.
ALG Functions
When you use a SIP-ALG, your Firebox:
- Routes traffic for VoIP applications
- Opens the ports necessary to make and receive calls, and to exchange audio and video media
- Makes sure that VoIP connections use standard SIP protocols
- Generates log messages for auditing purposes
- Supports SIP presence through the use of the SIP Publish method. This allows softphone users to see peer status.
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports automatically. The H.323 and SIP-ALGs also perform this function. You must disable NAT on your VoIP devices if you configure an H.323 or SIP-ALG.
Configure the SIP-ALG
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure static NAT or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
- Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). Go to Set Access Rules for a Policy.
- You can also configure static NAT or configure server load balancing. Go to Configure Static NAT (SNAT) and Configure Server Load Balancing.
- To define the logging settings for the policy, configure the settings in the Logging section.
For more information, go to Set Logging and Notification Preferences. - If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use POP3.
For more information, go to Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or authentication server, go to Set a Custom Idle Timeout.
SD-WAN Tab
On the SD-WAN tab, you can select to apply an SD-WAN action to the policy. You can also add a new SD-WAN action. For more information about SD-WAN routing, go to About SD-WAN.
SD-WAN replaces policy-based routing in Fireware v12.3 or higher.
Application Control Tab
If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.
- Select the Application Control tab.
- From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
- (Optional) Edit the Application Control settings for the selected action.
- Click Save.
For more information, go to Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, go toDefine a Traffic Management Action and Add Traffic Management Actions to a Policy.
To apply a Traffic Management action in a policy:
- Select the Traffic Management tab.
- From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action. - Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
To configure the proxy action:
- Select the Proxy Action tab.
- From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, go to About Proxy Actions. - Click Save.
For the SIP-ALG, you can configure these categories of settings for a proxy action:
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
- Select the Scheduling tab.
- From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule. - Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, go to:
Policy Tab
To set access rules and other options, select the Policy tab.
- SIP-ALG connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). Go to Set Access Rules for a Policy.
- Route outbound traffic using > SD-WAN — Go to About SD-WAN. Tip!
- You can also configure static NAT or configure server load balancing. Go to Configure Static NAT (SNAT) and Configure Server Load Balancing.
- Enable Application Control — Enable Application Control and select the Application Control action to use for this policy. For more information, go to Enable Application Control in a Policy.
- Enable Geolocation — Enable Geolocation and select the Geolocation action to use for this policy. For more information, see Configure Geolocation.
- Enable IPS — Enable IPS for this policy. For more information, go to Enable or Disable IPS for a Policy.
- Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
- To edit or add a comment to this policy configuration, type the comment in the Comment text box.
- To define the logging settings for the policy, click Logging.
For more information, go toSet Logging and Notification Preferences. - If you set the SIP-ALG connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use POP3.
For more information, go to Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or authentication server, go to Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
- Set an Operating Schedule
- Add Traffic Management Actions to a Policy
- Set ICMP Error Handling
- Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
- Set Connection Rate Limits
- Enable QoS Marking and Prioritization in a Policy
- Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
For the SIP-ALG, you can configure these categories of settings for a proxy action: