Created on ‎08-20-2019 05:23 AM Edited on ‎01-21-2025 08:29 AM By Stephen_G
Description
This article explains how to enable and disable the FortiGate system session helper.
Scope
FortiGate units, all supported FortiOS versions.
Solution
As outlined in the FortiGate CLI Reference Guide, a session helper binds a service to a TCP or UDP port.
By default, session helpers are activated to allow these services to be bound to standard ports. Existing session helpers can be edited and new ones created using the following CLI command on the FortiGate.
config system session-helper
edit <helper-number>
set name ?
ftp FTP.
tftp TFTP.
ras RAS.
h323 H323.
tns TNS.
mms MMS.
sip SIP.
pptp PPTP.
rtsp RTSP.
dns-udp DNS UDP.
dns-tcp DNS TCP.
pmap PMAP.
rsh RSH.
dcerpc DCERPC.
mgcp MGCP.
set port <port_number>
set protocol <protocol_number 6 for TCP 17 for UDP>
end
Check the session helpers enabled on the FortiGate by using the CLI as shown below. This illustrates the default session helpers activated on the FortiGate (as per FortiOS 7.2).
FG5H0E-1 # show system session-helper
# config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
To disable a session-helper simply delete the id of the session-helper by running the following CLI command:
FG5H0E-1 (session-helper) # delete ?
<tableid> <----- Input an int id. 0 means the lowest available ID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Special Note.
How to disable session helper with VDOMs enabled:
If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter and is not available under any particular VDOM.
FGT# config global
FGT(global)# config system session-helper
Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.
There may be scenarios where a particular VDOM (for example, VDOM-A) might have to use the session-helper settings for the FTP traffic processing, while another (for example, VDOM-B) needs to have the session-helper disabled so that FTP traffic passing through it is not inspected by the FTP session-helper.
In these cases, the following settings can be used:
FGT# config firewall service custom
FGT(custom)#edit Helper-disable
FGT(Helper-disable)# set tcp-portrange 21
FGT(Helper-disable)# set helper disable
FGT(Helper-disable)# end
Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy, which allows the FTP traffic.
Related Articles: