Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 1981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PROTOCOL-VOIP inbound 404 Not Found

gr33ny

Hello

We have an XG106 running 17.5 MR7.

The XG is used specifically as our SIP gateway, we spent many weeks configuring and testing it before going live with it on Tuesday 8th October.  Per our providers request, we have disabled SIP ALG & change the UDP timeout to 45 seconds.

It has worked without issue until this morning when all incoming/outgoing calls stopped working.  I took a quick look at the XG and it seemed fine, all interfaces up and I could ping outbound.

I raised a ticket with our SIP trunk provider who said that the traffic was being dropped at our gateway, I restarted the XG and calls began to work again.

Upon further investigation it seems that the IPS was triggered with rule "PROTOCOL-VOIP inbound 404 Not Found" at the time the calls stopped.  The source of the attack was our Service Proivder's router so I'm assuming this was a false-positive.

In either firewall rule I have for VoIP calls, Intrusion Prevention is turned off.

> Do I need to turn it off elsewhere/how can I stop the IPS doing that again?

> If it does it again, is there a quicker way than rebooting the device to fix the problem?

> What does "PROTOCOL-VOIP inbound 404 Not Found" mean?

Many thanks

Paul



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Sorry for the inconvenience caused!

    The Signature which is detected by IPS engine is critical.

    PROTOCOL-VOIP inbound 404 Not Found
    12180
    protocol-voip
    1 - Critical
    Windows, Linux, Unix...
    Server
    Drop packet

    As per your observation, you have not applied any IPS policy on the firewall rule for SIP traffic.

    Would you please share screenshots of logs by navigating ti Log Viewer and check for IPS logs and check for specific IPS signature and share the screenshot.

  • 0 in reply to Keyur

    Thanks for your reply, screenshot of the log:

     

     

    Many thanks

  • 0 in reply to gr33ny

    Hi  

    Thank you for providing the screenshot, as per the screenshot the detection happened on the firewall rule number.

    Would you please verify if you have applied any IPS policy on the rule number 5 or VoIP traffic passing through from the rule id 5?

  • 0 in reply to Keyur

    Hi

    Thanks for your reply.  Rule 5 does allow IPS traffic, in fact it seems to be a default system  rule that allows all outbound traffic ("#Default_Network_Policy").

    I guess the resolution is to turn off IPS rules here as a temporary measure and ideally disable the rule and create a new rule that just allows outbound voice traffic?

    Many thanks

Reply
  • 0 in reply to Keyur

    Hi

    Thanks for your reply.  Rule 5 does allow IPS traffic, in fact it seems to be a default system  rule that allows all outbound traffic ("#Default_Network_Policy").

    I guess the resolution is to turn off IPS rules here as a temporary measure and ideally disable the rule and create a new rule that just allows outbound voice traffic?

    Many thanks

Children