H.323-ALG: Denied Codecs
You can use the H.323-ALG Denied Codecs feature to specify one or more VoIP voice, video, or data transmission codecs to deny on your network. When an H.323 VoIP connection is opened that uses a codec specified in this list, your Firebox reads the value from the H.323 header in the "a=rtpmap" field and strips the codec information from the connection negotiation.
The Denied Codecs list is empty by default. We recommend that you add a codec to this list if the codec:
- Consumes too much bandwidth and causes excessive data usage across trunks or between network elements
- Presents a security risk
- Is necessary for your VoIP solution to operate correctly
For example, you might choose to deny the G.711 or G.726 codecs because they use more than 32 Kb/sec of bandwidth, or you might choose to deny the Speex codec because it is used by an unauthorized VoIP application.
For a list of codecs and the name or text pattern associated with each codec, see http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml. When you add a codec to the Denied Codecs list, make sure to specify the value in the Encoding Name column for that codec.
To configure the denied codecs settings for an H.323-ALG:
- In the H.323-ALG proxy action configuration, select Denied Codecs.
H.323-ALG proxy action denied codecs configuration in Policy Manager
- To add a codec to the list, in the Denied Codecs text box, type the codec name or unique text pattern in the text box.
Do not use wildcard characters or regular expression syntax. Codec patterns are case sensitive.
- Click Add
- To delete a codec from the list, select the codec and click Remove.
- To create a log message when your Firebox strips the codec information from H.323 traffic that matches a codec in this list, select the Log each transaction that matches a denied codec pattern check box.
- Click Save.