FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how a FortiGate setup with SIP-ALG enabled handles network packets with QoS markings, as well as how to prevent these markings from being stripped.
FortiGate with FortiOS 5.x, 6.x and 7.x.
The following diagram illustrates a typical topology for a VoIP connection with FortiGate:
In this instance, the network administrator's goal is to ensure bidirectional end-to-end QoS markings between the Client's VoIP solution and the VoIP server.
On the branch FortiGate, SIP proxy features are disabled. This means inspection of SIP traffic is not performed. The hub FortiGate has SIP proxy features enabled, which means all SIP traffic is inspected.
Since the branch device does not inspect SIP traffic, SIP packets will ingress through the LAN port and egress to the MPLS port with the same DSCP values that were generated by the client. However, when SIP ALG is enabled on a device, network traffic loses the DSCP values before inspection at the hub FortiGate. Traffic arrives with the correct markings on the hub's MPLS port but exits towards the LAN port for the Voice server without any.
To prevent DSCP markings being stripped, a network administrator can enable the Flow-Based SIP inspection feature implemented in version 7.0 of FortiOS. See the documentation for more information.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.