Manual Chapter : Configuring a SIP Message Routing Firewall

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Configuring a SIP Message Routing Firewall

Overview: Configuring a SIP message routing firewall

You can use the BIG-IP system Session Initiation Protocol (SIP) message routing functionality in a firewall configuration to provide stateful handling of SIP communication and media flows. A virtual server handles the SIP communications and related media flows, allowing them to pass through otherwise restrictive firewall rules. You configure a Local Traffic message routing SIP profile, router profile, and virtual server, and then use that configuration with an Advanced Firewall Manager (AFM) DoS profile. In this firewall configuration, the SIP session profile, SIP router profile, and virtual server use Application Level Gateway (ALG) functionality, where the BIG-IP system does not perform address translation or subscriber registration tracking.
When using ALG functionality, you cannot use a SIP router profile with an operation mode that is configured to use load balancing settings. Instead, you need to use a SIP router profile with the operation mode configured to use Application Level Gateway settings.
A SIP firewall configuration
A SIP firewall ALG configuration

Creating a SIP ALG router profile

You can create a SIP router profile with mirroring functionality for a SIP ALG firewall configuration.
If you do not want to configure mirroring functionality, you can configure a virtual server to use the default settings provided in the preconfigured
siprouter-alg
profile.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Message Routing
    SIP
    .
    The SIP session profiles list screen opens.
  2. On the menu bar, click
    Router Profiles
    .
    The Router Profiles list screen opens.
  3. Click
    Create
    .
    The New Router Profiles screen opens.
  4. In the
    Name
    field, type a unique name for the router profile.
  5. In the Settings area, select the
    Custom
    check box.
  6. From the
    Operation Mode
    list, select
    Application Level Gateway
    .
  7. To use connection mirroring, configure the
    Traffic Group
    setting.
    1. Clear the
      Inherit traffic group from current partition / path
      check box.
    2. From the list, select a traffic group, such as,
      traffic-group-1
      .
    Changing traffic groups, with Connection Mirroring enabled, drops all mirrored connections and loses all persistence data. If you change traffic groups, mirroring must restart.
    The traffic group for the virtual address and mirrored attribute are overwritten by the attached router profile.
  8. Select the
    Connection Mirroring
    check box.
    For connection mirroring to properly function, this device must be a member of a device group.
  9. In the
    Mirrored Message Sweeper Interval
    field, type the milliseconds for the frequency of the mirrored message sweeper.
  10. Click
    Finished
    .
A SIP router profile appears in the Router Profiles list.

Creating a virtual server for SIP firewall

Before you start this task, ensure that a SIP Session Profile, configured for a firewall, and a SIP Router Profile, configured for Application Level Gateway, exist in the BIG-IP system configuration.
You can create a virtual server to handle SIP communications and related media flows, allowing them to pass through otherwise restrictive firewall rules.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Message Routing
    .
  5. In the
    Source Address
    field, type
    0.0.0.0/0
    for the source address and prefix length.
  6. In the
    Destination Address/Mask
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address for this field needs to be on the same subnet as the external self-IP.
  7. In the
    Service Port
    field, type
    5060
    .
  8. From the
    Configuration
    list, select
    Advanced
    .
  9. From the
    Application Protocol
    list, select
    SIP
    .
  10. From the
    Session Profile
    list, select a SIP session profile.
    For a SIP firewall configuration, you can use the
    sipsession-alg
    profile.
  11. From the
    Router Profile
    list, select a SIP router profile.
    For a SIP firewall configuration without mirroring, you can use the
    siprouter-alg
    profile. For a SIP firewall configuration with mirroring, you must use a router profile configured for mirroring.
  12. Complete the following steps to disable all translation functionality on the virtual server.
    1. From the
      Source Address Translation
      list, select
      None
      .
    2. Clear the
      Address Translation
      check box.
    3. Clear the
      Port Translation
      check box.
  13. Click
    Finished
    .
A message routing virtual server is configured to handle SIP firewall communication as defined by the SIP Session Profile and Router Profile.
You can configure a DoS Profile in Advanced Firewall Manager (AFM) to use this virtual server.