Description
This article refers to the changes incurred in FortiOS v7.0 regarding SIP traffic handling.
Flow-based mode is now enforced for SIP traffic in all policies.
Scope
SIP-ALG is a proxy-based feature (recommended, default), and needs a proxy-based policy (recommended, but also triggered if policy is not proxy-based).
SIP session-helper is a basic mechanism for opening RTP pinholes (works both for proxy- and flow-based policies, provides no advanced security, no longer developed).
If both are disabled, the security concerns are dealt by the local SIP server, as SIP traffic will be mapped by FortiGate through a VIP.
Solution
FortiOS v6.4 default:
SIP ALG handles SIP in all policy types. No voip-profile is needed on policy.
If no specific voip-profile is applied, 'default' is used.
Statistics for SIP can be checked with:
diagnose sys sip-proxy stats
The use of proxy-based mode is not enforced for SIP traffic (thus SIP-ALG, a proxy-based feature, works even in flow-based policies)
FortiOS v7.x+ default:
SIP ALG is used in proxy-based policies, BUT flow-based SIP + SIP session-helper are used for flow-based policies.
'diagnose sys sip-proxy stats' - not showing statistics for flow-based policies.
The use of a flow-based mode is enforced for SIP traffic.
Upgrading from FortiOS v6.4.x to v7.0.x in certain cases may cause the SIP calls to be handled by the SIP session helper if the policy was in flow-based mode before the upgrade.
The fix is to change the policy that allows the SIP traffic to proxy-based mode so that SIP-ALG is used as before.
FortiOS v7.2.5+/v7.4.0+:
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The voip-profile can be selected regardless of the inspection-mode in the firewall policy. For more info, see Introduce SIP IPS profile as a complement to SIP ALG.
Related article:
Technical Tip: Changes in SIP ALG's behavior after upgrading on 7.0 or 7.2 GA versions
