Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JHelio
Staff
Staff

Created on ‎02-22-2023 09:46 PM Edited on ‎02-05-2024 09:36 AM By Moderator

Article Id 246687

Technical Tip: How to apply VoIP profile to policy where no SIP inspection is required

Description

This article describes how to apply VoIP profile where SIP inspection is not required for specific traffic crossing IPv4 policy.

 

The latest FortiGate versions have by default VoIP SIP ALG enabled globally and sometimes the FortiGate needs to handle more than one VoIP solutions where one solution will need SIP ALG active and other VoIP solutions will not be required.

 

Default FortiGate configuration:

 

config system settings
    set default-voip-alg-mode proxy-based  <----- SIP ALG enabled.
end

 

Note:

If ALG mode is set in Kernel mode, Firewall policy is still required in Proxy mode to use a different VOIP profile.

 

If a specific traffic flow requires to pass without SIP ALG inspection active, this can also be accomplished by adding the following VoIP profile to the IPv4 policy which allows this traffic. Note that the VoIP profile that is applied has the SIP inspection disabled. If such a profile is not used, FortiGate will detect the SIP traffic and apply the 'default' VoIP profile even if not applied in the policy:

 

  1. Create VoIP profile with no SIP inspection by CLI:

 

config voip profile
    edit "VoIP_ALG_Off"
    config sip
        set status disable <----- Disable SIP inspection.
        set rtp disable <----- Avoid RTP pinholes creation. 
    end
next

 

  1. Assign such VoIP profile to the policy desired:

 

ALG.PNG

 

By CLI:

 

config firewall policy
    edit 1
        set name "disable VoIP"
        set utm-status enable
        set voip-profile "VoIP_ALG_Off" <----- VoIP profile assigned.
next

 

Note:

Enable VoIP feature from System -> Feature Visibility -> VoIP.

 

voip.PNG

 
Scope FortiGate.
Solution

Having VoIP profiles where one has SIP ALG disabled, allows one to decide which traffic needs SIP inspection and which does not at the policy level.

 

voip2.PNG

 

 

8876
Submit Article Idea
Comments
DPadula
Staff
Staff
‎09-27-2023 06:31 PM

Hey Helio,


Mate, I got confused with this part : "But if needed specific traffic does not have SIP ALG inspection active, It is not possible to accomplish by adding a VoIP profile at a specific IPv4 policy."


You wrote is not possible to use a voip profile to have SIP ALG not inspecting the traffic, then you show how to apply a voip profile to do that. 

Also, you started the article with this sentence: This article describes how to apply VoIP profile where SIP inspection is not required for specific traffic crossing IPv4 policy.

 

Regards

Danilo

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.