MSS FW Best Practices: VoIP Phones/Softphones

12/11/2024 0 People found this article helpful 9,173 Views

Description

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.

MSS Recomended SonicWall Firewall Best Practices Index

Notes/Considerations

SonicWalls will interfere with VoIP traffic by default due to the nature of UDP VoIP traffic.
It is best practice to separate VoIP traffic from data traffic via different subnets/VLANs and place it in its own firewall security zone.
Ensure to gather specific VoIP manufacturer firewall requirements so you can make those changes in addition to the below.
If the SonicWall has “UDP Flood Protection” enabled, you might need to increase the “UDP Flood Attack Threshold (UDP Packets / Sec)” if the firewall is seeing the VoIP traffic as an UDP flood.
If you are restricting outbound ports/services, you will need to either create an outbound firewall rule not restricting the services, or one restricting the services to what the manufacture requires.

Global Recommended Changes

Enable Consistent NAT (This is the same as Disabling SIP ALG)
Only enable SIP and/or H.323 Transformations if required by the manufacturer.

VoIP traffic on separate Network/VLAN

This is best case scenario and highly recommended. If the VoIP system is on its own dedicated subnet/zone on the firewall, make the following changes to ensure the traffic is excluded.

Create an Address Object Group. Name it Security Exclusion Group for example. This is the Address Object Group that will be excluded from the security services.
1. Add the VoIP Network’s Interface Subnet or Zone to this group.
2. There is no need to create a group if there is already an Address Object group excluded from the security services. In that case, just add the Address Object to that existing group.
Go to the Exclusion List section for each security service and select the group created/used above from the drop-down menu.
1. App Control
2. Content Filtering
3. Gateway Anti-Virus
4. Intrusion Prevention
5. Anti-Spyware
6. Geo-IP Filtering
7. BotNet Filtering
Create a new firewall rule from the source zone of the VoIP network to WAN.
1. Leave the designation as Any.
2. This should be an Allow rule.
3. Under the advanced tab, select Disable DPI.

VoIP traffic on the Data Network/VLAN

It is not ideal for VoIP traffic to be on the same subnet as the PCs, Servers, default LAN, etc. but there are still ways to exclude the VoIP traffic.

Make sure the device(s) have a static IP. This can be done by creating a static DHCP reservation based on the MAC address of the device or by configuring the static IP info on the device itself.
1. Make sure the IP of the static reservation is outside of the DHCP scope to avoid IP conflictions.
Create an Address Object for the IP of the DHCP reservation.
1. You can also create a range object instead of separate objects for each IPs if the IPs are sequential.
2. Make sure the Address Object Zone is correct.
Create an Address Object Group. Name it Security Exclusion Group for example. This is the Address Object Group that will be excluded from the security services.
1. Add the above Address Objects for the devices IPs to this group.
2. There is no need to create a group if there is already an Address Object group excluded from the security services. In that case, just add the Address Object to that existing group.
Go to the Exclusion List section for each security service and select the group created/used above from the drop-down menu.
1. App Control
2. Content Filtering
3. Gateway Anti-Virus
4. Intrusion Prevention
5. Anti-Spyware
6. Geo-IP Filtering
7. BotNet Filtering
Create a new firewall rule from the source zone of the VoIP devices to WAN.
1. Select the address object(s) of the VoIP device(s) as the source.
2. Leave the designation as Any.
3. This should be an Allow rule.
4. Under the advanced tab, select Disable DPI.

Softphones

Since Softphones are commonly installed on computers, they share the IP of the computer they are installed on. Therefore, you can’t exclude this traffic based on IP addresses using Address Objects.

The best thing to do if refer to and implement the manufacturer’s requirements along with the Notes/Considerations and Global considerations above.

If the VoIP traffic shows up in the logs as a specific Layer 7 app (Zoom, SIP, etc.), you can create an App rule for that application so it Bypasses DPI:

Create an Application List Match Object
Add the applications that you would like to Bypass DPI (Zoom, Teams, etc.)
Create a new App Rule
Policy Type: App Control Content
Match Object: The Match Object you just created.
Action Object: Bypass DPI
Check Enable Logging

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

MSS FW Best Practices: VoIP Phones/Softphones

Description

Notes/Considerations

Global Recommended Changes

VoIP traffic on separate Network/VLAN

VoIP traffic on the Data Network/VLAN

Softphones

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch