Description
Fortinet recommends to disable the SIP session-helper (Layer4), and use the SIP Application Layer Gateway (ALG) (Layer7).
Currently supported FortiOS versions have SIP-ALG enabled by default.
If SIP-ALG was disabled on a recent firmware, you can enable it with:
# config system settings
set default-voip-alg-mode proxy-based
end
Reading further, this article is intended for older FortiOS firmware, though similar steps apply.
Solution
Until FortiOS 5.0, session-helper was the default SIP inspection mechanism.
Starting with FortiOS 5.2, SIP-ALG is enabled by default.
It is not necessary to apply a VoIPprofile to a Firewall policy to apply SIP ALG. When SIP traffic is detected, the 'default' VoIP profile is used by FortiGate.
The default voip profile can be modified from the default settings.
This for example, makes FortiGate use sip session-helper for SIP (but keep sccp and other voice traffic under SIP-ALG inspection):
# config voip profile
edit default
# config sip
set status enable/disable
end
end
The procedure to enable ALG profile before FortiOS 5.2:
1) Check the session-helper number:
FGT# show system session-helper
edit 12 [*]
set name sip
set port 5060
set protocol 17
next
[*] Use this ID for the next step
2) Remove this session-helper:
FGT# config system session-helper
FGT#(session-helper) delete 12
FGT#(session-helper) end
3) Reboot the FortiGate , in order for the above changes to take effect.
4) Enable VoIP Feature from WebGUI under System->Config->Features
5) Create a VoIP Profile with SIP enabled:
Note.
Instructions below are for FortiOS firmware versions 4.0 to 5.2.
Enter the following command to a Voip Profile for SIP, limit REGISTER and INVITE requests to 100 requests per second per firewall policy (values are given as an example).
# config voip profile
edit "test"
# config sip
set register-rate 100
set invite-rate 100
set block-long-lines disable
set block-unknown disable
end
next
end
6) Enable this Protection Profile in the appropriate Firewall Policy(ies) for example.
# config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set utm-status enable
set voip-profile "test"
set profile-protocol-options "default"
set nat enable
next
end
Related links.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/858887/voip-solutions
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/fortigate-sip-603.pdf
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=fortigate-voip-sip-521pdf
Related Articles
Technical Tip: Disabling VoIP Inspection
Technical Tip: VOIP calls (using SIP)
Techincal Tip: SIP useful Commands
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.