Description

This article explains the recommended scenarios for to use of each VoIP mode that is available on a FortiGate firewall.

Scope

Any supported version of FortiGate.

Solution

The following VoIP modes are available on the FortiGate firewall:

1. kernel-helper-based.
2. proxy-based.

See the FortiGate documentation page for an explanation of these settings.

Use the following CLI command to review the VOIP mode:

config system settings

    set default-voip-alg-mode

The query will return the following:

proxy-based: Use a default proxy-based VoIP ALG.

kernel-helper-based: Use the SIP session helper.

1. kernel-helper-based.

• A SIP session helper is used when the firewall is processing VOIP traffic in kernel-helper—based.
• SIP session helpers run in the Kernel.

A SIP session helper is used when traffic does not match a policy that includes a VOIP security profile and the VOIP mode is set to kernel-helper-based.

Please note that the SIP session-helper is a legacy feature existing for compatibility reasons. It is not recommended to use a SIP session-helper to perform a SIP inspection. Please use SIP ALG instead.

2. proxy-based.

• proxy-based is set by default.
• SIP ALG is used when the firewall is processing VOIP traffic in proxy-based mode.
• SIP ALG runs as a user space process.

SIP ALG is used in the following conditions:

• If traffic matches a policy that includes a VOIP security profile as shown below. SIP ALG is used regardless of the VOIP modes set under system settings (the VOIP security profile requires the firewall policy to be in proxy-based inspection mode).
  
  

• When traffic does not match a policy that includes a VOIP security profile and VOIP mode is set to proxy-based.

As a final verification, use this guide to see which mode is used:
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG