FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Description This article describes the changes which were introduced in 7.0.0 and 7.2.0 in regards to the default operation on FortiGate's SIP ALG.
Scope FortiOS 7.0 and 7.2 GA releases.
Solution

Up to 6.4 FortiOS versions, by default and regardless of the firewall policy inspection mode, SIP traffic was proxied by SIP ALG and this can be determined with the below setting:

 

# config system settings

set default-voip-alg-mode proxy-based * | kernel-helper-based

end

 

The default setting was proxy-based.

 

Since 7.0.0, a new feature named Flow-Based SIP was introduced.

 

The particular feature brings optimization to CPU and memory because the VoIP traffic could now be inspected by the IPS engine itself.

 

However, the original SIP ALG has much more advanced capabilities for VoIP inspection.

 

After upgrading to 7.0 or 7.2, Flow-Based SIP will now run by default in a firewall policy which is configured as flow inspection mode.

 

For example, a Fortigate was configured in 6.4 as:

 

# config system settings

set default-voip-alg-mode proxy-based 

end

 

# config firewall policy

edit 1

set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept

set inspection-mode flow  <<<<
set schedule "always"
set service "SIP"
set nat enable

end

 

After upgrading to 7.0. or 7.2, if the goal is to maintain the same behavior as 6.4, then the inspection mode of the firewall policy should be configured as proxy-based.

 

# config firewall policy

edit 1

set name "VoIP_Policy"
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept

set inspection-mode proxy <<<<
set schedule "always"
set service "SIP"
set nat enable

end

 

For firewall policies which were originally configured [in 6.4] with a VoIP profile attached to them, they will automatically be switched to proxy inspection during the upgrade process.

Contributors