Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎08-15-2024 03:35 PM Edited on ‎08-20-2024 06:05 AM By Moderator

Article Id 333479

Troubleshooting Tip: FortiGate blocking SIP INVITE and/or SIP OPTIONS packets

Description

 

This article describes steps to take when SIP INVITE or SIP OPTIONS packets appear to be blocked by FortiGate.

 

Scope

 

FortiOS 6.4 and above.

 

Solution

 

First, note that SIP traffic handled by the SIP session-helper or ipsengine (flow-mode policy) is not discussed in this article.

These setups are outdated and there are no settings available to adjust for these modes. Make sure SIP-ALG is used by the traffic by running the following command:

 

diagnose sys sip-proxy stats

 

If this command returns an error, then SIP-ALG is not enabled.

 

If this command returns a table with values, it will show the number of packets that have been blocked by SIP ALG.

See Technical Tip: SIP useful Commands for an example screenshot.

 

When INVITE and OPTIONS are blocked, it is very likely that the counter under the 'UNKNOWN' column is also increasing, possibly with the same value.

This means that the SIP Client or PBX are adding headers or options in the SIP header that are not strictly compliant with the SIP RFC.

The solution that does not compromise security is to adjust the settings in the client/PBX.

This can be done after collecting a packet capture and analyzing this capture with a packet analyzer (for example, Wireshark).

 

If adjustment on the client / PBX is not possible, FortiGate can be set up to use a more relaxed VoIP profile.

The settings that can be changed (CLI only) are as follows:

 

config voip profile

edit default

config sip

set block-unknown disable (default value = enable)

set unknown-header disable (default value = enable)

set block-long-lines disable (default value = enable)

set block-options disable (default value = disable)

set block-invite disable (default value = disable)

end

 

Additional lines can be used if FortiGate detects these packets as malformed, instead of 'unknown'.

 

Ultimately, in the unlikely scenario that none of these options allows the INVITE/OPTIONS packets to pass the FortiGate, the solution would be to disable any call security FortiGate offers by disabling the SIP inspection Technical Tip: Disabling VoIP Inspection.

 

config voip profile

edit default

config sip
    set status disable

end

end

end

Labels:
879
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.