Define Strict Classification Rules

Classification rules are used to identify incoming SIP dialog-initiating requests (e.g., INVITE messages) and bond them to IP Groups. In other words, these rules identify the source of the call. Once the source IP Group is identified, the traffic can then be routed to its destination according to IP-to-IP routing rules.

When defining Classification rules, adhere to the following recommendations:

For Server-type IP Groups, use Classification rules only if the IP address of the IP Group is known. If known, include the IP address in the Classification rule ('Source IP Address' parameter).  In addition, to increase classification strictness, configure SIP message characteristics in the rule as well.

If the IP address is unknown (i.e., the Proxy Set associated with the IP Group is configured with an FQDN), it's recommended to employ SIP dialog classification based on Proxy Set (see Classify by Classification Rules versus Proxy Set).

It's recommended to enable the 'Validate Source IP' parameter in the IP Groups table. This setting verifies that the incoming dialog was sent from one of the IP addresses (including DNS-resolved IP addresses) of the Proxy Set associated with the classified IP Group (see Validate Source IP Address of Incoming SIP Dialog Requests). IP address validation is also typically needed when multiple IP Groups are assigned to the same Proxy Set and therefore, Classification rules are necessary to produce the desired mapping (classification) of the incoming SIP dialogs to the different IP Groups.
For Server-type IP Groups whose IP addresses are known, it's recommended to also configure VoIP firewall rules (see Block Unused Network Ports ).
Use strict Classification rules over vague ones so that all other potentially malicious SIP traffic is rejected. In other words, configure the rule with as much information as possible that accurately characterizes the incoming SIP dialog (e.g., source and destination host name).
Define a range for the source and destination prefix numbers.
Define a combination of Classification rules to guarantee correct and accurate identity of sender of call.
Make sure that you configure the device to block unclassified calls, as described in Section Validate Source IP Address of Incoming SIP Dialog Requests.
Use Message Condition rules to increase the strictness of the Classification process. Message Condition rules enhance the process of classifying incoming SIP dialogs to an IP Group. When a Classification rule is associated with a Message Condition rule, the Classification rule is used only if its' associated Message Condition rule are matched. Message Condition rules are SIP message conditions based on the same syntax used in the Message Manipulations table. You can define complex rules using the "AND" or "OR" Boolean operands. You can also use regular expressions (regex) as Message Condition rules, for example:
"body.sdp regex pcmu" can be used to enable routing based on the offered codec (G.711 Mu) in the incoming SDP message
"body.sdp regex (AVP[0-9||\s]*\s8[\s||\n])" can be used to enable routing based on payload type 8 in the incoming SDP message

To implement message conditions:

a. Configure a Message Condition rule in the Message Conditions table (Setup menu > Signaling & Media tab > Message Manipulation folder > Message Conditions). The following figure shows a Message Condition rule example for P-Asserted-Identity headers that contain "abc":

Configured Message Condition Rule in Message Conditions Table

message-con

b. Assign the Message Condition rule to the Classification rule in the Classification table, using the 'Message Condition' parameter:

Assigned Message Condition Rule in Classification Table

message_con

Classification rules are configured in the Classification table (Setup menu > Signaling & Media tab > SBC folder > Classification). The following figure shows an example of two Classification rules:

Configured Classification Rules in Classification Table

class_eg

Index 0 "ITSP": Classifies received calls to Server-type IP Group "ITSP" if they have the following incoming matching characteristics:
'Source IP Address': 10.15.7.96
'Source Username Prefix': 2 through 4
'Source Host': domain.com
'Destination Username Prefix': 1 through 7
'Message Condition': SIP message with P-Asserted-Identity header containing "abc" (Message Condition rule described previously in this section)
Index 2 "Deny": Denies calls that cannot be classified (unknown calls).