FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Atul_S
Staff
Staff
Article Id 211664
Description This article describes the situation where there is a need to delete MGCP and H323 protocols under session helper.
Scope

SIP is the most widely used signaling protocol when it comes to VOIP traffic, however there are a few other protocols for example,  H323(mainly for video) and MGCP(voice gateways) responsible for the VOIP based on the phone make and model.

 

In a typical SIP or H.323 installation, administrators are required to configure both the IP PBX and the voice gateway individually.

 

MGCP delivers a deeper integration that allows administrators to configure the gateways from the interface of the IP PBX itself.


In this way, an MGCP gateway ceases to function independently and rather is instructed, controlled, and operated by the IP PBX in much the same way that an IP phone is configured and controlled.

Solution

By default, FortiGate is using SIP ALG to process SIP-related traffic, however some SIP providers recommend disabling SIP ALG in the firewall.

 

The way it works is as below:

  1. If proxy-based is selected, which is the default mode, then no matter if the session helper is configured, ALG mode supersedes and the session helper does nothing.
  2. If kernel-helper-based is configured, then it means that the initiating session helper is to assist the VOIP traffic.

 

If the session helper number 13 is deleted and do not change it to ALG mode(proxy-based) then basically it is relying on IPv4 policy only, as for VOIP traffic, which means that ALG is not configured,d and session helper is also not going to kick in since number 13 is deleted.

 

Proxy-based – default SIP ALG mode
Kernel-helper-based – SIP session helper


Even after removing entry number 13 for SI,P under session helper, does not resolve the issue,e then it's worth trying the below:

 

config system session-helper
    show full-config   //find the entry number related      to MGCP and H.323

    delete X          //where X is the number for MGCP      and H.323

end

 

  • External phone registration scenario: It is recommended if the goal is to register Panasonic phones externally while the phone server is behind the firewall that:
  1. VIP address objects are to be created with port forwarding for UDP ports: 2727, 9300, and 16000 to 16511 (default rtp stream is 16000 to 16511). For reference on creating a VIP with port forwarding, check the following KB article: Technical Tip: Virtual IP (VIP) port forwarding configuration
  2. Make sure the VIPs are assigned to an incoming firewall policy where NAT is 'disabled'. The reason is, if NAT is enabled, the Panasonic phone server would try to send its private ip address as the gateway for VOIP calls instead of using the VIP external address in the return traffic.