Technical Tip: Changes in SIP ALG's behavior after upgrading in v7.0 or v7.2 GA versions

In FortiOS versions up to v6.4, by default and regardless of the firewall policy inspection mode, SIP traffic was proxied by SIP ALG. This can be determined with the following settings:

config system settings

set default-voip-alg-mode proxy-based * | kernel-helper-based

end

The default setting was proxy-based.

Since v7.0.0, a new feature named Flow-Based SIP was introduced.

The particular feature brings optimization to CPU and memory because the VoIP traffic can now be inspected by the IPS engine itself.

However, the original SIP ALG has much more advanced capabilities for VoIP inspection.

After upgrading to v7.0.1+ or v7.2, Flow-Based SIP will now run by default in a firewall policy, which is configured as flow inspection mode.

For example, a FortiGate was configured in v6.4 as:

config system settings

set default-voip-alg-mode proxy-based 

end

config firewall policy

edit 1

set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept

set inspection-mode flow
set schedule "always"
set service "SIP"
set nat enable

end

After upgrading to v7.0.1+ or v7.2, if the goal is to maintain the same behavior as v6.4, the inspection mode of the firewall policy should be configured as proxy-based.

config firewall policy

edit 1

set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept

set inspection-mode proxy
set schedule "always"
set service "SIP"
set nat enable

end

For firewall policies that were originally configured [in v6.4] with a VoIP profile attached to them, they will automatically be switched to proxy inspection during the upgrade process.

Related articles:

• Technical Tip: SIP traffic and inspection mode in FortiOS 7.x (proxy / flow).
• Technical Tip: How to create SIP helper for custom ports.