Manual Chapter : Configuring a SIP Message Routing Firewall

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Configuring a SIP Message Routing Firewall

Overview: Configuring a SIP message routing firewall

You can use the BIG-IP® system Session Initiation Protocol (SIP) message routing functionality in a firewall configuration to provide stateful handling of SIP communication and media flows. A virtual server handles the SIP communications and related media flows, allowing them to pass through otherwise restrictive firewall rules. You configure a Local Traffic message routing SIP profile, router profile, and virtual server, and then use that configuration with an Advanced Firewall Manager™ (AFM™) DoS profile. In this firewall configuration, the SIP session profile, SIP router profile, and virtual server use Application Level Gateway (ALG) functionality, where the BIG-IP system does not perform address translation or subscriber registration tracking.
Note: When using ALG functionality, you cannot use a SIP router profile with an operation mode that is configured to use load balancing settings. Instead, you need to use a SIP router profile with the operation mode configured to use Application Level Gateway settings.
A SIP firewall ALG configuration

A SIP firewall configuration

Creating a SIP ALG router profile

You can create a SIP router profile with mirroring functionality for a SIP ALG firewall configuration.
Note: If you do not want to configure mirroring functionality, you can configure a virtual server to use the default settings provided in the preconfigured siprouter-alg profile.
  1. On the Main tab, click Local Traffic > Profiles > Message Routing > SIP .
    The SIP session profiles list screen opens.
  2. On the menu bar, click Router Profiles.
    The Router Profiles list screen opens.
  3. Click Create.
    The New Router Profiles screen opens.
  4. In the Name field, type a unique name for the router profile.
  5. In the Settings area, select the Custom check box.
  6. From the Operation Mode list, select Application Level Gateway.
  7. For use with connection mirroring, configure the Traffic Group setting.
    1. Clear the Inherit traffic group from current partition / path check box.
    2. From the list, select a traffic group, such as, traffic-group-1.
    Important: Changing traffic groups, with Connection Mirroring enabled, drops all mirrored connections and loses all persistence data. If you change traffic groups, mirroring must restart.
    Note: The traffic group for the virtual address and mirrored attribute are overwritten by the attached router profile.
  8. Select the Connection Mirroring check box.
    Note: For connection mirroring to properly function, this device must be a member of a device group.
  9. In the HA Message Sweeper Interval field, type a value (in milliseconds) for the frequency of the mirrored message sweeper.
  10. Click Finished.
A SIP router profile appears in the Router Profiles list.

Creating a virtual server for SIP firewall

Before you start this task, ensure that a SIP Session Profile, configured for a firewall, and a SIP Router Profile, configured for Application Level Gateway, exist in the BIG-IP® system configuration.
You can create a virtual server to handle SIP communications and related media flows, allowing them to pass through otherwise restrictive firewall rules.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Message Routing.
  5. In the Source Address field, type 0.0.0.0/0 for the source address and prefix length.
  6. In the Destination Address/Mask field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address for this field needs to be on the same subnet as the external self-IP.
  7. In the Service Port field, type 5060.
  8. From the Configuration list, select Advanced.
  9. From the Application Protocol list, select SIP.
  10. From the Session Profile list, select a SIP session profile.
    Note: For a SIP firewall configuration, you can use the sipsession-alg profile.
  11. From the Router Profile list, select a SIP router profile.
    Note: For a SIP firewall configuration without mirroring, you can use the siprouter-alg profile. For a SIP firewall configuration with mirroring, you must use a router profile configured for mirroring.
  12. Complete the following steps to disable all translation functionality on the virtual server.
    1. From the Source Address Translation list, select None.
    2. Clear the Address Translation check box.
    3. Clear the Port Translation check box.
  13. Click Finished.
A message routing virtual server is configured to handle SIP firewall communication as defined by the SIP Session Profile and Router Profile.
You can configure a DoS Profile in Advanced Firewall Manager™ (AFM™) to use this virtual server.