Description
This article presents a table matrix that helps to identify which inspection mode is used by FortiGate when handling SIP calls.
SIP calls are detected by the establishing port defined in system settings.
When SIP+TLS is used (or port 443), a deep-inspection profile must be added to policy to identify the traffic as an SIP call.
Scope
FortiOS - all supported versions to date (7.0.14, 7.2.8, 7.4.4)
This scenario applies to FortiGates where MSRP is not used (feature introduced in 7.4.3).
Solution
Reminder:
- SIP-ALG enabled / policy in proxy-mode: Troubleshooting is possible.
- SIP-ALG disabled / policy in flow-mode: No control, not many checks can be performed on FortiGate in relation to SIP.
Additional important notes about session-helper
SIP session-helper should not be used!: Do not disable SIP-ALG (set default-voip-alg-mode kernel-helper-based). Read more here.
Whether the SIP session-helper is deleted or not, it will not influence SIP ALG operation (the recommended way).
It exists ONLY for compatibility reasons, and was not yet completely removed.
SIP-ALG is a proxy-based feature, which means the policy handling SIP traffic must be in proxy-mode.
Flow-mode SIP (done by ipsengine) is only required when MSRP scanning is needed. Avoid if possible.
