Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring SIP ALG (NSM Procedure)

    SIP is an IETF-standard protocol for initiating, modifying, and terminating multimedia sessions over the Internet. Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments.

    To configure SIP ALG:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure SIP ALG.
    3. Click the Configuration tab. In the configuration tree, select Security > Alg > Sip.
    4. Add or modify settings as specified in Table 1.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.

    Table 1: SIP ALG Configuration Details

    Option

    Function

    Your Action

    C Timeout

    Specifies the INVITE transaction timeout at the proxy, in minutes. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

    Select a value between 3 and 10 minutes. The default is 3.

    Inactive Media Timeout

    Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

    Select a value between 10 and 2,550 seconds. The default is 120 seconds.

    Maximum Call Duration

    Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions.

    Select a value between 3 and 7,200 minutes. The default is 720 minutes.

    T1 Interval

    Specifies the roundtrip time estimate (in seconds) of a transaction between endpoints. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

    Select a value between 500 and 5,000 milliseconds. The default is 500 milliseconds.

    T4 Interval

    Specifies the maximum time a message remains. in the network. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

    Select a value between 5 and 10 seconds. The default is 5 seconds.

    Disable

    Enables or disables translation of the host IP address in the call-ID header. Translation is enabled by default.

    Select this option to enable translation of host IP address in the call-ID header. By default, translation is enabled.

    Retain Hold Resource

    Specifies whether the device frees media resources for a SIP ALG, even when a media stream is placed on hold.

    Select this option to enable the device to retain media stream resources when the media stream is on hold. By default, media stream resources are released when the media stream is held.

    Timeout

    Specifies the amount of time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

    Enter a value between 1 and 3,600 seconds.

    Destination Ip

    Protects servers against INVITE attacks. Configure the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks. You can include up to 16 destination IP addresses of servers to be protected.

    Select None, destination-ip, or all. If you select destination-ip, enter or select an IP address.

    Permit NAT Applied

    Specifies how unidentified SIP messages are handled by the device. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

    This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

    Select this option to permit unidentified SIP messages. By default, unknown (unsupported) messages are dropped.

    Permit Routed

    Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

    Select this option.

    Published: 2013-01-06