Created on 03-27-2015 03:01 PM Edited on 12-04-2024 11:29 PM By Jean-Philippe_P
Description
This article describes how to disable SIP-inspection on FortiGate and explains the consequences.
Fortinet recommends the use of SIP/SCCP proxy/ALG (called SIP-ALG even though it does not handle only SIP traffic) in most situations.
The alternative in FortiGate, SIP-helper, is a legacy solution that provides a very basic pinhole opening service.
In some cases, other vendors recommend disabling the SIP inspection altogether on the FortiGate (carefully note the date and FortiGate model of the articles, which may be outdated).
Disabling the VoIP inspection may influence the production systems. Re-enabling SIP-ALG will require a restart.
Disabling SIP-ALG is not the first Troubleshooting action to take.
Scope
Any supported version of FortiGate.
Solution
The use of an Application Layer Gateway (ALG) allows for:
For more details on the benefits of the SIP ALG in FortiOS, as well as information on how to troubleshoot SIP issues, consult the additional articles linked at the end of this article.
Disabling the SIP-ALG should only be done for troubleshooting (to isolate a problem).
SIP ALG allows multiple options to configure and address incorrect FortiGate SIP ALG behavior, or to allow non-standard SIP handling in the overall VoIP deployment. These options are present below and must be considered before disabling SIP-ALG.
Since FortiOS 5.2, the FortiOS proxy/ALG handles all SIP traffic by default.
In FortiOS 5.0, if the VoIP profile is not applied, the SIP session helper will be applied.
The following diagram shows a general SIP call flow over FortiGate:
Disabling all VOIP inspection on the FortiGate prevents it from opening the RTP session and therefore has no audio.
When NAT is involved, FortiGate must use one of the three options above.
Preparation:
Before disabling SIP ALG & SIP session-helper functionality, these two steps are required:
Note 1:
When a firewall policy has a voip-profile applied, SIP-ALG is used over the SIP session-helper, even if disabled. However, if the SIP config under the VOIP profile is set to disable then in such a case, session helper will be used irrespective of ALG config.
Note 2:
Disabling the SIP session-helper is only necessary if ALL the SIP inspection must be removed.
The commands associated with the SIP-helper will not be relevant if the FortiGate is using SIP-ALG. Fine-tuning SIP-ALG is done through the VoIP profile.
Note 3:
Multi-VDOM considerations: sip-helper is a global setting. Deleting sip-helper from a global context will make it inaccessible for all VDOMs. SIP-ALG is enabled (by default) and can be disabled per VDOM.
Follow the steps below to disable the SIP session-helper:
config system session-helper
show
A similar setting to the following will appear among the displayed settings:
edit 13
set name sip
set protocol 17
set port 5060
next
end
Here, entry 13 points to SIP traffic, which uses UDP port 5060 for signaling.
In this example, run the following commands to remove the corresponding entry:
delete 13
end
Note that it is not necessary for the SIP entry to be 13. Cross-verify which entry has the SIP helper settings.
config system settings
set default-voip-alg-mode proxy-based (default value).
end
Run the following command to instruct the FortiGate to disable SIP-ALG (proxy-based) and use SIP-helper (kernel-helper-based):
config system settings
set default-voip-alg-mode kernel-helper-based
end
Note 1:
The command 'set sip-helper enable | disable' is not designed to enable | disable sip-helper. Instead, the purpose of the command is to control whether or not the pinhole is created in order to decrease the number of pinholes, as explained in the command-help:
'Enable/disable helper to add dynamic SIP firewall allow rule' // 'Enable/disable the SIP kernel session helper to create an expectation for port 5060.'
(Since version 6.2.2 the CLI command is different: set sip-expectation disable).
Note 2:
The command 'sip-nat-trace enable | disable' is not designed to enable | disable sip-helper. This command is in effect ONLY when SIP session-helper is used (ONLY when 'set default-voip-alg-mode kernel-helper-based' AND 'SIP session helper is present/not deleted'). As the command-help says: 'Enable/disable recording the original SIP source IP address when NAT is used'.
By disabling RTP handling on the FortiGate, the device only manages SIP signaling and no longer monitors or modifies RTP streams. This means the media traffic (RTP) bypasses the FortiGate entirely, reducing the potential for issues related to NAT, firewalling, or packet inspection by the FortiGate.
To configure RTP bypass on a FortiGate, the following commands need to be executed:
config voip profile
edit default
config sip
set rtp disable
end
end
Either clear sessions or reboot the FortiGate to ensure changes take effect:
diagnose sys session filter dport 5060
The command to clear the sessions applies to ALL sessions unless a filter (like above) is applied, and therefore will interrupt all traffic.
diagnose sys session clear
execute reboot
Note:
It is also possible to disable SIP-ALG from the VoIP profile if needed (for example, when SCCP and SIP are both transiting the firewall and SCCP works ok).
In this case, the SIP traffic will be handled by the SIP-helper even if the default-voip-alg-mode is set to proxy-based:
This allows SCCP to be handled by SIP-ALG and SIP by sip session-helper
config voip profile
edit default
config sip
set status disable
end
end
end
Disabling SIP session helper with VDOMs enabled.
If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter, and is not available under any particular VDOM. Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.
config global
(global)# config system session-helper
There might be scenarios where a particular VDOM (VDOM-A, for example) has to use the session-helper settings for the SIP traffic processing, and VDOM-B needs to have the session-helper disabled so that SIP traffic passing through VDOM-B is not inspected by the SIP session-helper.
In these or similar cases, use the following settings:
config firewall service custom
(custom) edit SIP-Helper-disable
(Helper-disable) set udp-portrange 5060
(Helper-disable) set helper disable
(Helper-disable) next
Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy which allows the SIP traffic.
This will ensure that the firewall does not process the SIP traffic provided the traffic hits the corresponding policy where the customer service named Helper-disable is applied.
As proved by some isolated cases, this last method is not the best approach, as the sip-helper may be triggered by the traffic, even when the session-helper is disabled per service SIP-Helper-disable.
Note:
It is necessary to clear all of the sessions for port 5060 (clearing 5060 sessions will drop all of the active calls passing through FortiGate).
diag sys session filter clear
diag sys session filter dport 5060
diag sys session clear
diag sys session filter clear
diag sys session filter sport 5060
diag sys session clear
Related documents:
Technical Tip: Most common cases of SIP implementation
Troubleshooting Tip: FortiGate session table information
Technical Tip: VOIP calls (using SIP)
Technical Tip: SIP useful Commands
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
Technical Tip: How to apply VoIP profile to policy where no SIP inspection is required
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.