FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JHelio
Staff
Staff
Article Id 247056
Description

This article describes how to add more than one UDP port for SIP inspection at FortiGate.

Scope FortiGate.
Solution

By default, FortiGate will use only UDP port 5060 for SIP inspection with proxy-based SIP ALG:

 

config system setting

set default-voip-alg-mode proxy-based       <----- SIP ALG enabled.

end

 

However upon checking the default port used for SIP, it becomes apparent that only port 5060 is configured:

 

config system setting

set sip-udp-port 5060      <- SIP ALG  port configured by default

set gui-voip-profile enable

end

 

Some customers need FortiGate to have more than one VoIP solution using different UDP ports, where SIP inspection is required for each. To accomplish this, add additional UDP ports in the CLI.

 

The following example shows a configuration that adds UDP port 5070:

 

config system settings

set sip-udp-port 5060 5070  <----- SIP ALG  listen on two ports 5060 and 5070.

set gui-voip-profile enable

end

 

udp.PNG

 

This configuration makes it possible to set SIP inspection for UDP ports 5060 and 5070 at the same time.

 

To revert to the original configuration, use the following command to set only UDP port 5060 as active by default:

 

config system settings

unset sip-udp-port

end

 

Setting more than one UDP port for SIP inspection allows for the existence of multiple VoIP solutions working through FortiGate at the same time.