Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 141

Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
You can configure the following types of inactivity timeouts that determine the lifetime
of a group:
Signaling Inactivity Timeout—This parameter indicates the maximum length of time
(in seconds) a call can remain active without any SIP signaling traffic. Each time a SIP
signaling message occurs within a call, this timeout resets. The default setting is 43,200
seconds (12 hours).
Media Inactivity Timeout—This parameter indicates the maximum length of time (in
seconds) a call can remain active without any media (RTP or RTCP) traffic within a
group. Each time a RTP or RTCP packet occurs within a call, this timeout resets. The
default setting is 120 seconds.
If either of these timeouts expire, the security device removes all sessions for this call
from its table, thus terminating the call.
Select any of the appropriate check boxes to pass messages that cannot be decoded
by the device in either Route mode or NAT mode:
Pass nonparsable packets in Route mode
Pass nonparsable packets in NAT mode
Configuring SIP Firewall Features
Multiple SIP INVITE requests can overwhelm a SIP proxy server. You can configure the
security device to monitor INVITE requests (and the proxy server replies) to protect SIP
proxy servers.
SIP Attack Protection—To drop multiple, identical SIP INVITE messages, configure SIP
Attack Protection and enter the number of seconds for which you want to drop similar
packets. If SIP proxy server reply contains a 3xx, 4xx, or 5xx response code, the ALG
stores the source IP address of the request and the IP address of the proxy server in a
table. The security device checks all INVITE requests against this table and discards
matching packets for the specified number of seconds.
Destination IP Server Protection—To protect a specific SIP proxy server from multiple
identical SIP INVITE requests, configure Destination IP Server Protection for a specific
IP address and netmask.
If you do not specify a specific SIP proxy server, SIP Attack Protection monitors all
SIP traffic for multiple identical SIP INVITE messages.
If you do specify a specific SIP proxy server, SIP Attack Protection monitors only SIP
traffic destined for the specified SIP proxy server.
For more detailed explanation about configuring SIP on security devices, see the
"Fundamentals" volume in the Concepts & Examples ScreenOS Reference Guide.
Configuring Timeouts for Predefined Services (NSM Procedure) on page 115
Configuring MGCP Settings on page 118
Configuring Session Cache for Predefined Services (NSM Procedure) on page 115
Chapter 4: Advanced Network Settings
117