Technical Tip: How to apply VoIP profile to policy where no SIP inspection is required

JHelio · ‎02-22-2023

Description

This article describes how to apply VoIP profile where SIP inspection is not required for specific traffic crossing IPv4 policy.

The latest FortiGate versions have by default VoIP SIP ALG enabled globally and sometimes the FortiGate needs to handle more than one VoIP solutions where one solution will need SIP ALG active and other VoIP solutions will not be required.

Default FortiGate configuration:

config system settings
set default-voip-alg-mode proxy-based <----- SIP ALG enabled.
end

Note:

If ALG mode is set in Kernel mode, Firewall policy is still required in Proxy mode to use a different VOIP profile.

The below change need to apply in the Kernel Mode.

config firewall service custom
(custom) edit SIP-Helper-disable
(Helper-disable) set udp-portrange 5060
(Helper-disable) set helper disable
(Helper-disable) next

If a specific traffic flow requires to pass without SIP ALG inspection active, this can also be accomplished by adding the following VoIP profile to the IPv4 policy which allows this traffic. Note that the VoIP profile that is applied has the SIP inspection disabled. If such a profile is not used, FortiGate will detect the SIP traffic and apply the 'default' VoIP profile even if not applied in the policy:

Create VoIP profile with no SIP inspection by CLI:

config voip profile
edit "VoIP_ALG_Off"
config sip
set status disable <----- Disable SIP inspection.
set rtp disable <----- Avoid RTP pinholes creation.
end
next

Assign such VoIP profile to the policy desired:

By CLI:

config firewall policy
edit 1
set name "disable VoIP"
set utm-status enable
set voip-profile "VoIP_ALG_Off" <----- VoIP profile assigned.
next

Note:

Enable VoIP feature from System -> Feature Visibility -> VoIP.

Scope

FortiGate.

Solution

Having VoIP profiles where one has SIP ALG disabled, allows one to decide which traffic needs SIP inspection and which does not at the policy level.