|
Up to 6.4 FortiOS versions, by default and regardless of the firewall policy inspection mode, SIP traffic was proxied by SIP ALG and this can be determined with the below setting:
# config system settings
set default-voip-alg-mode proxy-based * | kernel-helper-based
end
The default setting was proxy-based.
Since 7.0.0, a new feature named Flow-Based SIP was introduced.
The particular feature brings optimization to CPU and memory because the VoIP traffic could now be inspected by the IPS engine itself.
However, the original SIP ALG has much more advanced capabilities for VoIP inspection.
After upgrading to 7.0 or 7.2, Flow-Based SIP will now run by default in a firewall policy which is configured as flow inspection mode.
For example, a Fortigate was configured in 6.4 as:
# config system settings
set default-voip-alg-mode proxy-based
end
# config firewall policy
edit 1
set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set inspection-mode flow <<<<
set schedule "always"
set service "SIP"
set nat enable
end
After upgrading to 7.0. or 7.2, if the goal is to maintain the same behavior as 6.4, then the inspection mode of the firewall policy should be configured as proxy-based.
# config firewall policy
edit 1
set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set inspection-mode proxy <<<<
set schedule "always"
set service "SIP"
set nat enable
end
For firewall policies which were originally configured [in 6.4] with a VoIP profile attached to them, they will automatically be switched to proxy inspection during the upgrade process.
|
