Technical Tip: VoIP IPS profile fails to be saved with error 'Entry not found'

AnthonyH · ‎12-15-2024

Description

This article describes an issue when attempting to apply an VoIP profile with feature set to ips, it cannot be applied to a firewall policy.

Scope

FortiGate v7.4.3, v7.6.0.

Solution

In version v7.2.5, the VoIP profile allows the combination of applying SIP ALG (proxy based) and SIP IPS (flow based) profi....

In some scenario, when a VoIP profile has been configured to IPS, it is possible to select the profile in the firewall policies but it fails to save.

config voip profile

edit "sip-ips"

set feature-set ips

config sip

set log-violations enable

end

This profile should be applied in conjunction with a SIP-ALG profile and set through the CLI using the command set ips-voip-filter <voip_profile>:

config firewall policy
    edit 3
        set name "VoIP"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"

        set voip-profile "sip-voipd" <-- Proxy-based VoIP profile.
        set ips-voip-filter "sip-ips" <-- Flow-based VoIP profile.
        set logtraffic all
    next
end

In 7.2.9, 7.4.5, 7.6.1 the IPS profile will be filtered out.

Technical Tip: VoIP IPS profile fails to be saved with error 'Entry not found'

You are leaving our website