FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager
Article Id 191762

Description

 

This article explains how to enable and disable the FortiGate system session helper.

Scope

 

FortiGate units, all supported FortiOS versions.

 

Solution

 

As outlined in the FortiGate CLI Reference Guide, a session helper binds a service to a TCP or UDP port.
By default, session helpers are activated to allow these services to be bound to standard ports. Existing session helpers can be edited and new ones created using the following CLI command on the FortiGate.

 

config system session-helper
    edit <helper-number>
        set name ?

ftp        FTP.
tftp       TFTP.
ras        RAS.
h323       H323.
tns        TNS.
mms        MMS.
sip        SIP.
pptp       PPTP.
rtsp       RTSP.
dns-udp    DNS UDP.
dns-tcp    DNS TCP.
pmap       PMAP.
rsh        RSH.
dcerpc     DCERPC.
mgcp       MGCP.

        set port <port_number>
        set protocol <protocol_number 6 for TCP 17 for UDP>
    end


Check the session helpers enabled on the FortiGate by using the CLI as shown below. This illustrates the default session helpers activated on the FortiGate (as per FortiOS 7.2).

 

FG5H0E-1 # show system session-helper
# config system session-helper

    edit 1

set name pptp
set protocol 6
set port 1723 

next

edit 2

set name h323
set protocol 6
set port 1720

next
edit 3

set name ras
set protocol 17
set port 1719

next
edit 4

set name tns
set protocol 6
set port 1521

next
edit 5

set name tftp
set protocol 17
set port 69

next
edit 6

set name rtsp
set protocol 6
set port 554

next
edit 7

set name rtsp
set protocol 6
set port 7070

next
edit 8

set name rtsp
set protocol 6
set port 8554

next
edit 9

set name ftp
set protocol 6
set port 21

next
edit 10

set name mms
set protocol 6
set port 1863

next
edit 11

set name pmap
set protocol 6
set port 111

next
edit 12

set name pmap
set protocol 17
set port 111

next
edit 13

set name sip
set protocol 17
set port 5060

next
edit 14

set name dns-udp
set protocol 17
set port 53

next
edit 15

set name rsh
set protocol 6
set port 514

next
edit 16

set name rsh
set protocol 6
set port 512

next
edit 17

set name dcerpc
set protocol 6
set port 135

next
edit 18

set name dcerpc
set protocol 17
set port 135

next
edit 19

set name mgcp
set protocol 17
set port 2427

next
edit 20

set name mgcp
set protocol 17
set port 2727

next

end

 

To disable a session-helper simply delete the id of the session-helper by running the following CLI command:

 

FG5H0E-1  (session-helper) # delete ?
<tableid>                              <----- Input an int id. 0 means the lowest available ID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20


Special Note.
How to disable session helper with VDOMs enabled:

If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter and is not available under any particular VDOM.

 

FGT# config global
FGT(global)# config system session-helper

 

Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.

There may be scenarios where a particular VDOM (for example, VDOM-A) might have to use the session-helper settings for the FTP traffic processing, while another (for example, VDOM-B) needs to have the session-helper disabled so that FTP traffic passing through it is not inspected by the FTP session-helper. 


In these cases, the following settings can be used:

 

FGT# config firewall service custom
FGT(custom)#edit Helper-disable

FGT(Helper-disable)# set tcp-portrange 21
FGT(Helper-disable)# set helper disable
FGT(Helper-disable)# end

 

Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy, which allows the FTP traffic.

 

Related Articles:

Troubleshooting Tip: FortiGate session table information

Technical Tip: Disabling VoIP Inspection