2020-05-18T12:09:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 9
  • 1526

Should I configure SIP or NAT traversal technologies on my firewall?

Why or why not? If so, which are the best providers for this configuration?

12
PeerSpot user
12 Answers
PrideChieza - PeerSpot reviewer
Network Security Engineer at Frampol
Real User
2020-05-19T14:59:09Z
May 19, 2020

That is very good question, for SIP we highly recommend using SIP security on the firewall this prevent issues with SIP attacks resulting in unknown phone calls being made from your PBX causing a high phone call bill that you didn't generate however in some cases when working with the Fortigate firewall and older versions of PBX you may need to disable this function its called SIP ALG (Application Layer Gateway) this usually cause problems with SIP VoIP phones registration and call processing but you need to make sure you only allow the PBX to only communicate with the specific voip server for security.

Regarding to NAT Traversal it is mostly used when you have devices that are not SIP aware and the firewall is then used to NAT the actual ip address of the SIP phone when communicating with the external ips or VoIP servers,with the use of security policy this can ensure that the voip traffic is also secured by the firewall.

Search for a product comparison in Firewalls
Luis Apodaca - PeerSpot reviewer
IT Support and Network Admin at Escuela Carlos Pereyra
User
Top 5
2021-08-23T16:47:56Z
Aug 23, 2021

What is the reason for doing SIP, in addition to IP PBX? If it's only that any router can handle that service via NAT but if is another scenario!


-What is your organization size?
-How many users do you have?
-Do you already have an internal router or your Internet Service Provider gave you one? If so, can you handle that router?
-What kind of service do you need vía that router?
-What's your budget?

This is not a simple question to answer, but if you want a whole scenario solution, I'd probably choose an internal router doing NAT.

SandeepKumar13 - PeerSpot reviewer
IT Manager at a legal firm with 11-50 employees
Real User
Top 5
2021-08-25T03:07:52Z
Aug 25, 2021

NAT Is always good for security concerns as to some extent it hides internal Networks. 


SIP can be used with port forwarding too (it works ) Here I mean SIP (Session Initiation Protocol in VoIP Phones).  


Also, I suggest you refer to your firewall docs.  

ZhulienKeremedchiev - PeerSpot reviewer
Lead Network Security Engineer at TECHNOCORE LTD
Real User
Top 5
2021-08-24T18:08:38Z
Aug 24, 2021

The question is too vague. 


Need more details such as:


What devices are you using or what is your budget for devices? 


What are you aiming to do? 

Rias Majeed - PeerSpot reviewer
Information Security Manager at Exceed NetSec LLC
Reseller
Top 10
2020-05-20T09:14:14Z
May 20, 2020

If you have SIP phones which need to access PABX from wan (internet) you need forward sip from wan to LAN PABX.

If you have more than 2 devices that need to share the same internet connection. You have to enable NAT.

NAT support devices are following devices

1. Any Broadband router. ( Cisco, D-link, TP-link, Linksys, Asus,…etc)
2. Firewall /Router/VPN (Fortigate, Cisco, Sonicwall, Paloalto, Watchguard….etc)

My preference is FortiGate. It supports SIP, NAT Configuration & VPN in the same appliance device. SSL VPN is free of charge included with the devices.

Rupsan Shrestha - PeerSpot reviewer
Technical Presales Engineer at Dristi Tech Pvt.ltd
Real User
2020-05-20T03:55:40Z
May 20, 2020

SIP is a protocol used for session management in VoIP or video communication, On the other hand NAT Traversal is a technique used to maintain connectivity over networks where NAT is used. You are probably looking to implement VoIP in your network if I'm not mistaken. There is no choice here because some VoIP devices require the implicit use of SIP protocol, That is what they use to initiate, manage, and terminate sessions.

While there are some vendors that use their proprietary protocol, SIP like protocol is necessary regardless. And about NAT traversal, if you have a NAT device or a firewall that implements NAT in between or as a gateway NAT traversal must be used to make sure your communication works because in VoIP communication the client also acts as a server, meaning the communication has to be both ways. When there is a NAT in between NAT masquerades the original IPso there is a probability that the communication may fail. However, some VoIP solutions have their own mechanism to bypass NAT and maintain communication while some require NAT Traversal to be configured on the firewall.

Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
656,862 professionals have used our research since 2012.
Nawaaz Toonah - PeerSpot reviewer
Operations Manager at Cybernaptics
Reseller
Top 5Leaderboard
2020-05-19T18:04:29Z
May 19, 2020

NAT, ISP normally provides one public IP to subscribers and for many devices to connect on the internet this single public IP address is shared among them. Traversal technique is to do UDP encapsulation to allow traffic to reach the destination device which does not have a public address.

SIP traversal is mainly used when we have SIP phones which are registered to a remote IPBX, to keep the connection live and keep signaling link between the phones and the sip registrar, SIP traversal comes into play.

I have mainly used this SIP traversal option on Cyberoam / Sophos firewall and believe me it works like a charm.

DA
Computer Networking Consultant and Contractor
Consultant
2020-05-21T14:32:40Z
May 21, 2020

"For SIP it is best to use SIP proxy technologies (for example Cisco CUBE). It is much more secure and has an advantage in that the external traffic stops in the Gateway which in turn will make another connection to the inside. Thus, any DoS attack will only affect the gateway and not the applications and internal communications.

Another advantage of the SIP proxy is that reconfigurations and transformations specific to incompatible SIP sessions (DSP transcoding) can be performed on the gateway.

On the other hand, NAT traversal has the advantage of being a cheap solution, with only security facilities and not for improving the parameters of RTP and voice signaling."

it_user1146165 - PeerSpot reviewer
Cibersecurity Pre-Sales at Ingram Micro Inc.
Real User
2020-05-20T01:58:26Z
May 20, 2020

SIP is a VoIP telephony protocol, it is not a firewall configuration. In the firewall, the only item you can configure is SIP ALG in disabled or enabled mode. You can configure NAT Transversal when you need to implement site-to-site VPN where the VPN hub is behind a router.

Stuart Berman - PeerSpot reviewer
CTO at a tech company with 11-50 employees
Real User
Top 10
2020-05-19T17:54:09Z
May 19, 2020

The business need should always be part of the equation if you have a business need for SIP in addition to permitter security then using a firewall with SIP protection such as a FortiGate running version 6.x.

If you only need a SIP gateway then there are several dedicated gateways that are available, but I am not familiar enough to recommend a brand.

William Buress - PeerSpot reviewer
Regional Manager at enfoPoint Solutions
User
2020-05-19T15:46:26Z
May 19, 2020

There are lots of blogs on this topic. That will be your best resource.

Rajesh Balasubramanian - PeerSpot reviewer
Technical Consultant at Indsys Holdings India Pvt Ltd
User
2020-05-19T14:31:48Z
May 19, 2020

You should configure NAT on your firewall this is for Securing the Internal network (LAN) from external network (WAN),

SIP is a protocol for Voice over IP in digital networks.

Related Questions
Dec 7, 2022
Hello peers, We are looking for a firewall solution in Fortigate for a software training institution with 2000 students. Each student has one laptop and two mobile phones (maximum). There are four Internet connections, two broadbands, and two leased lines (optical fiber). There is no need for content filtering and application control. We need a solution for load balancing and traffic shaping. ...
See 2 answers
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 7, 2022
Hi @Gulzar C ​, Some of the preferred solution seen in educational institutes are mentioned below Sophos. Fortinet Fortigate. Juniper SRX Firewall. SonicWall.
CR
Director at REDCO
Dec 7, 2022
UNTANGLE was born in the educational sector, now it has been acquired by ARISTA in case you would like to check it out, any solution is recommended, it all depends on the budget, you can also check PFSENSE is free, for balancer  the are fatpipeinc.com is native solution for balacing WAN, VERSA for 8 wan, FORTIGATE, SOPHOS and  VMWARE, VMWARE,  FORTIGATE and CISCO the are leaders on GARTNER  Greetings 
PY
User at rvunl
Dec 5, 2022
Hello community,  I am researching firewalls for my company. I am currently interested in Fortinet's firewall. Which Fortinet firewall model is the equivalent of Sophos XG 100? Thank you for your help.
See 1 answer
CR
Director at REDCO
Dec 5, 2022
Properly there is no XG100 as I understand, but within that family ranging from 105 to 135, Fortigate can be an FG60, FG70, and FG80 all of them F series.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out what your peers are discussing and join in the conversation. Ask and answer questions on the topics that interest you most! Read and respond to articles or contribute your own! Trending These are the topics your peers are talking about on PeerSpot this week How do I estimate the requir...
See 1 comment
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Thank you to all the community members who share their knowledge with other peers! Also, special thanks to the articles' contributors included in this Community Spotlight: @Janet Staver, @Abhirup Sarkar, @Manoj Narayanan, @Beth Safire and @Shibu Babuchandran.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! Top Security Orchestration Automation and Response (SOAR) Solutions Top 8 Data Loss Prevention (DL...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 11, 2022
Hi community members, As usual, this new Community Spotlight shares with you the latest articles, questions and trending discussions from your peers. Trending See what is trending at the moment and chime in to discuss! Top 8 Extended Detection and Response (XDR) Tools 2022 Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons? What is the...
See 2 comments
Ravi Suvvari - PeerSpot reviewer
Performance and Fault-tolerance Architect with 1,001-5,000 employees
May 30, 2022
Good very informative
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Jul 11, 2022
Analyze the wave of product at Gartner Hype Cycle. EDR was good in the past. After that, MDR joined the hype and now, XDR is the trend. Wait for more in a couple of months and (sic) know the ZDR!
Related Categories
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Community Spotlight #20
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out w...
Download Free Report
Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
656,862 professionals have used our research since 2012.