FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager

Description
This article explains how to enable and disable the FortiGate system session helper.

Scope
FortiGate units, running FortiOS versions 5.4, 5.6, 6.0 and 6.2
Solution
As outlined in the FortiGate CLI Reference Guide, a session helper binds a service to a TCP or UDP port.
By default, session helpers are activated to allow these services to be bound to standard ports. Existing session helpers can be edited and new ones created using the following CLI command on the FortiGate.

# config system session-helper
    edit <helper-number>
        set name ?

ftp        FTP.
tftp       TFTP.
ras        RAS.
h323       H323.
tns        TNS.
mms        MMS.
sip        SIP.
pptp       PPTP.
rtsp       RTSP.
dns-udp    DNS UDP.
dns-tcp    DNS TCP.
pmap       PMAP.
rsh        RSH.
dcerpc     DCERPC.
mgcp       MGCP.

        set port <port_number>
        set protocol <protocol_number 6 for TCP 17 for UDP>
    end


Check the session helpers enabled on the FortiGate by using the CLI as shown below. This illustrates the default session helpers activated on the FortiGate (as per FortiOS 4.0 MR2)

FG5H0E-1 # show system session-helper
# config system session-helper

    edit 1
        set name pptp
        set port 1723
        set protocol 6
    next
    edit 2
        set name h323
        set port 1720
        set protocol 6
    next
    edit 3
        set name ras
        set port 1719
        set protocol 17
    next
======================================================== tns, tftp, rtsp, ftp, mms, pmap, sip, dns-upd, rsh, dcerpc, these session helpers are enabled by default in positions 4-18.
    edit 19
        set name mgcp
        set protocol 17
        set port 2427
    next
    edit 20
        set name mgcp
        set port 2727
        set protocol 17
    next
end

To disable a session-helper simply delete the id of the session-helper by running the following CLI command:

FG5H0E-1  (session-helper) # delete ?
<tableid>                              <----- Input an int id. 0 means the lowest available ID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20


Special Note.
How to disable session helper with VDOMs enabled:

If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter and is not available under any particular VDOM.

FGT# config global
FGT(global)# config system session-helper

Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.

There might be scenarios where in a particular VDOM, let’s say, VDOM-A might have to use the session-helper settings for the FTP traffic processing and VDOM-B needs to have the session-helper disabled so that FTP traffic passing through VDOM-B is not inspected by the FTP session-helper.  

In such cases the below settings can be used:

FGT# config firewall service custom
FGT(custom)#edit Helper-disable
FGT(Helper-disable)# set tcp-portrange 21
FGT(Helper-disable)# set helper disable
FGT(Helper-disable)# end

Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy, which allows the FTP traffic

Related Articles

Troubleshooting Tip: FortiGate session table information

Technical Tip: Disabling VoIP Inspection

Contributors