Voice padding testing involves the insertion of additional data (padding) into voice packets to enhance performance and quality in networks affected by bandwidth limitations or latency issues. On a FortiGate device, implementation of this test can be achieved through the configuration of Quality of Service (QoS) profiles and traffic shaping.

Padding in RTP packets operates according to the specifications in RFC 3550. The RTP header includes a padding bit that, when set to 1, indicates the use of padding. Padding entails the addition of extra bytes at the end of an RTP packet that do not contribute to the payload. These bytes are placed immediately after the payload data, with the final byte specifying the number of padding bytes added.

In the absence of padding, the payload size is inferred from the total packet length minus the header. When padding is present, the exact number of padding bytes must be known to determine the actual payload size.
Padding is most commonly employed to standardize RTP packet sizes. This is particularly useful for codecs, especially video codecs, that generate variable payload sizes. Standardizing packet sizes helps to stabilize bandwidth usage and supports encryption. Uniform packet sizes allow encryption algorithms—especially block ciphers requiring fixed-size blocks—to function more efficiently and conceal sensitive metadata such as packet size.

Speech padding.

Voice padding is a technique that consists of adding padding bytes to voice packets so that they have a minimum size, which helps to:

• Improve bandwidth consistency: By ensuring a minimum packet size, variability in the bandwidth consumed by voice traffic is reduced, which can help avoid congestion and jitter problems.
  
  
• Reduce latency: In networks with high latency, padding can help packets reach the receiver faster by reducing the number of small packets processed.
  
  
• Facilitate traffic management: By having uniform packet sizes, it is easier for network devices, such as firewalls, to manage and prioritize voice traffic.

Passing the voice padding test in a FortiGate.

In a FortiGate, a voice padding test is implemented through the configuration of QoS profiles and traffic shaping.  

1. Identify voice traffic:

 This can be done through deep packet inspection (DPI) and detection of voice protocols such as SIP, RTP, etc.

2. Create a QoS profile: A QoS profile defines the priorities and guaranteed bandwidth for different types of traffic. A specific profile should be created for voice traffic, with a high priority and an appropriate guaranteed bandwidth.

    

   

    

    For example, to apply a QoS profile with the FortiGate, use Traffic shaping. 

     

3. Configure traffic shaping:

   Enables control over packet characteristics such as size and transmission speed. Configuration of the shaper ensures that voice packets maintain a minimum size and a consistent transmission rate. This shaping policy is applied to the previously defined firewall rule that governs traffic originating from the PBX or server under padding test conditions, directed toward the LAN behind the FortiGate device.

    

   

    

    

4. Enforce security policy:
   Must apply the configured Quality of Service (QoS) profile and traffic shaping mechanisms to the identified voice traffic to ensure optimal performance and adherence to network priorities.

    

   

    

    

5. Monitor performance:
   It is essential to verify the effectiveness of the configuration and the proper execution of the padding test. FortiView Sessions can be utilized to identify source and destination traffic and to confirm that the traffic shaper is functioning as intended.

    

diagnose sniffer packet any "port 5060" 4 0 l 

 Example configuration on a FortiGate on CLI: 

config firewall policy   <-- Define policy.
    edit 1
        set srcintf "port1"     <-- Source interface.
        set dstintf "port2"     <-- Dst interface.
        set srcaddr "all"       <-- Source IP address.
        set dstaddr "all"       <-- Dst IP address.
        set action accept
        set schedule "always"
        set service "SIP" "RTP"        <-- VoIP protocols.
        set logtraffic all             <-- Enable register.
        set profile-protocol-options "SIP"     <-- Enable inspection SIP or RDP, etc.

        set ssl-ssh-profile "certificate-inspection"    <-- Enable SSL/SSH inspection.
        set av-profile "default"                        <-- Enable Antivirus profile.
        set webfilter-profile "default"                 <-- Enable Web Filter.
        set application-list "default"                  <-- Enable list applications.
        set traffic-shaper "voice_shaper"               <-- Model traffic.
        set nat enable                                  <-- Enable NAT.
    next
end

config firewall shaper traffic             <-- QoS profile.
    edit "voice shaper"
        set max-bandwidth 2048             <-- Maximum bandwidth in Kbps.
        set guaranteed-bandwidth 512       <-- Bandwidth in Kbps.
        set priority high                  <-- High Priority.
        set source "all"                   <-- Font.
        set destination "all"              <-- Destinations.
        set service "SIP" "RTP"            <-- Services.
        set packet-size-correction enable  <-- Enable packet size correction.
        set minimum-packet-size 200        <-- Minimum packet size in bytes.
    next
end

For this example:

        set traffic-shaper "voice shaper":   <-- Apply the traffic shaper to voice traffic.

Related articles:

Technical Tip: Disabling VoIP Inspection

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: VoIP and SIP configuration and troubleshooting resource lists