Technical Tip: Prevent DSCP markings being stripped when SIP-ALG is enabled

sgiannogloudis · ‎10-14-2022

Description

This article describes how a FortiGate setup with SIP-ALG enabled handles network packets with QoS markings, as well as how to prevent these markings from being stripped.

Scope

FortiGate with FortiOS 5.x, 6.x and 7.x.

Solution

The following diagram illustrates a typical topology for a VoIP connection with FortiGate:

In this instance, the network administrator's goal is to ensure bidirectional end-to-end QoS markings between the Client's VoIP solution and the VoIP server.

On the branch FortiGate, SIP proxy features are disabled. This means inspection of SIP traffic is not performed. The hub FortiGate has SIP proxy features enabled, which means all SIP traffic is inspected.

Since the branch device does not inspect SIP traffic, SIP packets will ingress through the LAN port and egress to the MPLS port with the same DSCP values that were generated by the client.
However, when SIP ALG is enabled on a device, network traffic loses the DSCP values before inspection at the hub FortiGate. Traffic arrives with the correct markings on the hub's MPLS port but exits towards the LAN port for the Voice server without any.

To prevent DSCP markings being stripped, a network administrator can enable the Flow-Based SIP inspection feature implemented in version 7.0 of FortiOS. See the documentation for more information.

Technical Tip: Prevent DSCP markings being stripped when SIP-ALG is enabled

You are leaving our website