SIP-ALG: General Settings
In the SIP-ALG Action general settings configuration, you can set security and performance options for the SIP-ALG (Application Layer Gateway).
There is no default policy for SIP-ALG traffic. Before you configure SIP-ALG, you must create a proxy policy to handle the traffic. For instructions to add the SIP-ALG to your Firebox configuration, go to Add a Proxy Policy to Your Configuration.
- Select Firewall > Proxy Actions.
The Proxy Action page opens. - Select the proxy action to edit.
- Click Edit.
- Select General.
- Select Setup > Actions > Proxies.
The Proxy Action dialog box opens. - Select the proxy action to edit.
- Click Edit.
- Select General.
Settings
SIP-ALG Action general settings configuration in Policy Manager
Enable header normalization
To deny malformed or extremely long SIP headers, select this check box . While these headers often indicate an attack on your Firebox, you can disable this option if necessary for your VoIP solution to operate correctly.
Enable topology hiding
This feature rewrites SIP and SDP (Session Description Protocol) headers to remove private network information, such as IP addresses. We recommend that you select this option unless you have an existing VoIP gateway device that performs topology hiding.
Enable directory harvesting protection
To prevent attackers from stealing user information from VoIP gatekeepers protected by your Firebox, select this check box. This option is enabled by default.
Set the maximum number of sessions allowed per call
To restrict the maximum number of audio or video sessions that can be created with a single VoIP call, type or select a value in this text box.
For example, if you set the number of maximum sessions to one and participate in a VoIP call with both audio and video, the second connection is dropped. The default value is two sessions and the maximum value is four sessions. The Firebox sends a log message when it denies a media session above this number.
User agent information
To identify outgoing SIP traffic as a client you specify, type a new user agent string in the Rewrite user agent as text box.
To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel, your Firebox closes that network connection. The default value is 180 seconds (three minutes) and the maximum value is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Idle media channels text box.
Registration expires after
Specify the elapsed time interval before the SIP-ALG rewrites the SIP registration value that VoIP phones and PBX systems use to update their registration. The default value is 180 seconds (three minutes) and the maximum value is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Registration expires after text box.
Enable logging for reports
To send a log message for each connection request managed by the SIP-ALG, select this check box. To create accurate reports on SIP traffic, you must select this check box.
Override the Diagnostic Log Level for Proxy Policies That Use This Proxy Action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this check box. Then, from the Diagnostic Log Level for This Proxy Action drop-down list, select a log level:
- Error
- Warning
- Information
- Debug
The log level you select overrides the diagnostic log level that is configured for all log messages of this proxy policy type.
For more information about the diagnostic log level, go to Set the Diagnostic Log Level.