Created on 01-22-2016 03:18 PM Edited on 07-05-2023 07:25 AM By AlexC-FTNT
Description
Solution
By default, FortiGate is using SIP ALG to process SIP traffic.
Verify it by checking the configuration and counters:
FortiGate # show full system setting | grep default-voip-alg-mode
#set default-voip-alg-mode proxy-based
Proxy-based <----- Default SIP ALG mode.
Kernel-helper-based <----– SIP session helper.
To verify counters based on the mode:
1) If SIP Sessions Helper is handling the SIP traffic, the command below will display counters:
FortiGate # diag sys sip status
dialogs: max=131072, used=0
mappings: used=0
dialog hash by ID: size=8192, used=0, depth=0
dialog hash by RTP: size=8192, used=0, depth=0
mapping hash: size=8192, used=0, depth=0
count0: 0
count1: 2
count2: 10
count3: 0
count4: 0
2) If SIP ALG is handling the SIP traffic, the command below will display counters:
FortiGate # diag sys sip-proxy stat
sip stats
vdom name: root
---------------------------
active-sessions: 1
calls-attempted: 57
calls-established: 27
calls-failed: 30
calls-active: 0
registers-active: 1
| received | blocked | unknown form | long headers
req-type | req resp| req resp| req resp| req resp
UNKNOWN 0 47227 0 47227 0 47227 0 0
ACK 86 0 0 0 0 0 0 0
BYE 27 27 0 0 0 0 0 0
CANCEL 14 14 0 0 0 0 0 0
INFO 0 0 0 0 0 0 0 0
INVITE 107 223 0 0 0 0 0 0
MESSAGE 0 0 0 0 0 0 0 0
NOTIFY 5789 5788 0 0 0 0 0 0
OPTIONS 0 0 0 0 0 0 0 0
PRACK 0 0 0 0 0 0 0 0
PUBLISH 10371 802 0 1 0 0 0 0
REFER 2 2 0 0 0 0 0 0
REGISTER 100678 81543 25 0 25 0 0 0
SUBSCRIBE 19857 13333 0 2 0 0 0 0
UPDATE 0 0 0 0 0 0 0 0
PING 0 0 0 0 0 0 0 0
To verify based on the session created by SIP port :
First filter and display the session:
# diag sys session filter dport 5060
# diag sys session filter dst x.x.x.x (public IP of the SIP provider)
# diag sys session list
Then look for the flags:
1. If session has "ndr" flag >> flow SIP (ips) handles the traffic
2. If session has "redir" and "local" flags >> SIP ALG handles the traffic
3. If session only has "helper=sip" >> SIP kernel helper (session-helper)
Related links.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/858887/voip-solutions
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/fortigate-sip-603.pdf
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=fortigate-voip-sip-521pdf
Related Articles
Technical Tip: VOIP calls (using SIP)
Technical Tip: Disabling VoIP Inspection
Techincal Tip: SIP useful Commands
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.