Manual Chapter :
Configuring a SIP Message Routing Firewall
Applies To:
Show Versions
BIG-IP LTM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Configuring a SIP Message Routing Firewall
Overview: Configuring a SIP message routing firewall
You can use the BIG-IP system Session Initiation Protocol (SIP) message
routing functionality in a firewall configuration to provide stateful handling of SIP
communication and media flows. A virtual server handles the SIP communications and related media
flows, allowing them to pass through otherwise restrictive firewall rules. You configure a Local
Traffic message routing SIP profile, router profile, and virtual server, and then use that
configuration with an Advanced Firewall Manager™ (AFM™)
DoS profile. In this firewall configuration, the SIP session profile, SIP router profile, and
virtual server use Application Level Gateway (ALG) functionality, where the BIG-IP system does
not perform address translation or subscriber registration tracking.
When using ALG functionality, you cannot use a
SIP router profile with an operation mode that is configured to use load balancing settings.
Instead, you need to use a SIP router profile with the operation mode configured to use
Application Level Gateway settings.
A SIP firewall configuration
Creating a SIP ALG router profile
You can create a SIP router profile with mirroring functionality for a SIP ALG
firewall configuration.
If you do not want to configure mirroring functionality,
you can configure a virtual server to use the default settings provided in the
preconfigured
siprouter-alg
profile.- On the Main tab, click .The SIP session profiles list screen opens.
- On the menu bar, clickRouter Profiles.The Router Profiles list screen opens.
- ClickCreate.The New Router Profiles screen opens.
- In theNamefield, type a unique name for the router profile.
- In the Settings area, select theCustomcheck box.
- From theOperation Modelist, selectApplication Level Gateway.
- To use connection mirroring, configure theTraffic Groupsetting.
- Clear theInherit traffic group from current partition / pathcheck box.
- From the list, select a traffic group, such as,traffic-group-1.
Changing traffic groups, with Connection Mirroring enabled, drops all mirrored connections and loses all persistence data. If you change traffic groups, mirroring must restart.The traffic group for the virtual address and mirrored attribute are overwritten by the attached router profile. - Select theConnection Mirroringcheck box.For connection mirroring to properly function, this device must be a member of a device group.
- In theMirrored Message Sweeper Intervalfield, type the milliseconds for the frequency of the mirrored message sweeper.
- ClickFinished.
A SIP router profile appears in the Router Profiles list.
Creating a virtual server for SIP firewall
Before you start this task, ensure that a SIP Session Profile, configured for a
firewall, and a SIP Router Profile, configured for Application Level Gateway, exist in
the BIG-IP system configuration.
You can create a virtual server to handle SIP communications and related media
flows, allowing them to pass through otherwise restrictive firewall rules.
- On the Main tab, click .The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectMessage Routing.
- In theSource Addressfield, type0.0.0.0/0for the source address and prefix length.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address for this field needs to be on the same subnet as the external self-IP.
- In theService Portfield, type5060.
- From theConfigurationlist, selectAdvanced.
- From theApplication Protocollist, selectSIP.
- From theSession Profilelist, select a SIP session profile.For a SIP firewall configuration, you can use thesipsession-algprofile.
- From theRouter Profilelist, select a SIP router profile.For a SIP firewall configuration without mirroring, you can use thesiprouter-algprofile. For a SIP firewall configuration with mirroring, you must use a router profile configured for mirroring.
- Complete the following steps to disable all translation functionality on the virtual server.
- From theSource Address Translationlist, selectNone.
- Clear theAddress Translationcheck box.
- Clear thePort Translationcheck box.
- ClickFinished.
A message routing virtual server is configured to handle SIP firewall communication
as defined by the SIP Session Profile and Router Profile.
You can configure a DoS Profile in Advanced Firewall Manager
(AFM) to use this virtual server.
