Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pradeepb
Staff
Staff

Created on ‎05-20-2020 09:00 AM Edited on ‎10-23-2024 07:45 AM By Moderator

Article Id 198262

Technical Tip: How to disable H323 and RAS session helpers

Description

 

This article describes how to disable H323 and RAS session helpers.

 

Scope

 

FortiGate.

Solution

 

To successfully process VoIP calls, FortiOS must be able to extract information from the body of the H323 packet and use this information to allow the voice-carrying packets through the firewall.
H323 session helper is utilized for this purpose.


H323 session helper creates an expected session whenever H323 traffic arrives at open pinholes for RTP ports and also performs NAT on these ports.
In scenarios when the H323 gatekeeper/server does VOIP inspection and NAT on these packets, and if it is not required for FortiGate to inspect H323 sessions then it is necessary to consider removing H323 session helper and RAS session helpers.


To disable the H323 session helper which listens on TCP port 1720.

 

Enter the following command to find the h323 session helper entry number:

 

show full system session-helper

config system session-helper
    edit 2                            <----- 2 is the default entry number.
        set name h323
        set protocol 6
        set port 1720
end   

 

Once getting the entry number, use the below command to remove that entry.

 

config system session-helper
(session-helper) # delete 2
end

 

RAS session helper’s default entry number is 3.
By following the same above steps and command, check the RAS session helper entry number and delete it.

Special Note.
How to disable session helper with VDOMs enabled:

If VDOMs are enabled, disable the session helper from global VDOM as the session helper setting is a global parameter.

 

config global
(global)# config system session-helper
(session-helper)# delete 2
(session-helper)# delete 3
end

 

Since this is a global setting, disabling the session-helper globally affects ALL the VDOMs.

There might be scenarios where in a particular VDOM, let’s say, VDOM-A might have to use the session-helper for H323 traffic and VDOM-B needs to have the session-helper disabled so that H323 traffic passing through VDOM-B is not inspected by the session-helper.  

In such cases, the below settings can be used:

 

config vdom
    edit VDOM-B
(VDOM-B) # config firewall service custom
(custom)# edit H323-Helper-disable
(H323-Helper-disable)# set tcp-portrange 1719-1720
(H323-Helper-disable)# set helper disable
(H323-Helper-disable)# end

 

Once the above custom service with the helper set to disabled has been created, the H323-Helper-disable needs to be configured in the corresponding policy, which allows the H323 traffic.

Labels:
12530
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.