H323 INSPECT is broken

So I recently had the lovely experience of dealing with H323. H323 is admittedly a ugly protocol but its been around for years. I assumed CP had it figured out…WRONG.

Basically you have to turn off the INSPECT script on H323 and let it go natively.

1) sniff the net for used ports, I used these

TCP: 1718-1721
TCP: 2253-2263
UDP: 1718-1721, 2253-2263, 49152-49239, 61750-61790

2) Create a service for each of the above
3) In the service,->Advanced
4) Protocol Type->None (turns of inspect)
5)  if H323 hits on a ANY service rule then disable “Match on any”
6) Create a specific rule with the src/dst of all the VC servers and add these services

7) Make sure you create a rule for each direction. So two rules.
1) ANY                323Servers     323Services #request packets
2) 323Servers   ANY                  323Services #reply packets

Creates a basic packet filter (allowing return packets).

Make sure you test this with failover. Some phones don’t like gratuitous arps if they are on directly connected VLANs.

I just saved you 2 days of hunting.

Support center should have this one wired but they don’t.

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • irom  On September 7, 2012 at 8:29 pm

    Same thing here ..;) But even turning inspection off on udp 1719 didn’t help Unfortunately I had inspection on tcp 1720 (didn’t notice that one). Not sure if it would help. Got error below.
    ;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 y.y.y.y:49300 -> x.x.x.x:1719 dropped by fw_conn_post_inspect Reason: Handler ‘h323_ras_code’ reject;

    Did you try with VOIP domains ?

  • LH  On December 17, 2012 at 7:21 am

    you did save me a lot of time including a rollback ! thanks

  • Bergonse  On February 25, 2014 at 1:27 am

    Hi, I have a close issue with SIP. Have you had the same issue with SIP?

    I did all of the above but I still see some SIP traffic getting dropped.

    I Smart Tracker:

    VoIP Reject Reason Malformed SIP packet
    VoIP Reject Reason Information Invalid SDP header

    I’m on R76 with 2x 4800 appliances as ClusterXL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: