Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xsilver_FTNT
Staff
Staff

Created on ‎06-07-2022 02:31 AM Edited on ‎10-10-2024 11:01 AM By Staff

Article Id 213978

Troubleshooting Tip: VoIP traffic logging as a troubleshooting and monitoring tool

Description This article describes how to use logging in VoIP profiles to monitor traffic and/or troubleshoot VoIP related issues in SIP or SCCP protocols.
Scope FortiOS.
Solution

FortiOS provides considerable logging capabilities.

However, logging must be properly configured for VoIP.
This article explains how to set it up, starting with the respective firewall policies.

 

The following is an example of how to log all traffic, but logging UTM only (which is the default option) is a possible option:

 

config firewall policy
    edit 17
        set name "VoIP-test"
        ...

            set logtraffic all
        ...

    next
end

 

This is necessary to get logs from policies.

 

After setting this up, no VoIP related logs will be visible yet.

To make them available, more steps are required:

 

  1. To see logs in the GUI under 'Log & Report', enable this feature first:

 

Via the CLI:

 

system settings
    set gui-voip-profile enable

end

 

Via the GUI:

 

Navigate to System -> Feature Visibility -> 'Additional Features' (which is the longest column) and toggle the 'VoIP' switch to the green 'on' state, then Apply the changes at the bottom of the page.

 

 

  1. It is necessary to have logging set up on a per-policy level and enable the feature visibility. However, there will still be no logs on problematic VoIP traffic because it is necessary to set logging in VoIP profiles.

 

Note that current FortiOS versions handle all the spotted SIP and SCCP traffic with an ALG proxy by default.

 

This is based on the default value of a per-VDOM option:

 

config system settings

    set default-voip-alg-mode proxy-based

end

 

If there are not any other specific per-policy 'set voip-profile' parameters, the 'default' VoIP profile is used for all SIP/SCCP traffic in that VDOM.

 

Therefore, it is possible to choose to modify the 'default' profile and apply that changed profile to all of the SIP/SCCP traffic inside a specific VDOM.

 

Alternatively, it is possible to create a custom VoIP profile and use that one inside the firewall policies.

Therefore those policies will use a customized profile, while SIP/SCCP traffic passing through other firewall policies (which has no voip-profile) will use the 'default' profile instead.

 

Note:

This can also be used to completely disable SIP or SCCP handling inside VDOM, meaning that SIP/SCCP traffic will be treated as any other TCP/UDP packets. No special benefits like expectation sessions will be opened by ALG.

 

The typically recommended first step in troubleshooting is to set up a have specific profile like that, applied in a test policy to handle calls to and from a specific test phone, limited inside policy by source address (or other 'filters' like destination ports/addresses etc):

 

config voip profile

    edit "default"

 

  • Create a new profile and name it as desired, but use the same name in 'set voip-profile' inside the firewall policy, or clone it and then edit it.
  • Alternatively, have individual profiles used inside policies intentionally made to handle VoIP traffic and have a 'default' profile tweaked with logging enabled to see unintended flows!

 

config sip

    set block-long-lines disable

 

This is enabled by default, making it possible to observe logged violations.

 

Some VoIP network elements may not be fully compliant with RFCs and may have vendor-specific 'enhancements', extending content too much. For testing or initial setup, disable that blocking temporarily.

 

    set block-unknown disable

 

Enabled by default, similarly to 'block-long-lines', but blocks non-RFC custom headers.

 

    set log-violations enable

 

Disabled by default. Enable it to ensure logging of problematic messages.

 

    set ips-rtp disable

 

Disabled by default, which prevents HW offloading and IPS to intercept/scan on the RTP stream. The default value may cause problems on NP2/NP4.

 

set strict-register enable


Disabled by default as of FortiOS 4.2 and 5, but enabled by default as of FortiOS 6.x and above.

Significantly improves SIP security, making it highly recommended to enable.

Disable it during initial setup, testing, or troubleshooting for simplicity.

 

Important: Enable this once the initial phase is over and retest after it is enabled.

 

The above example is for an SIP handler in the ALG settings of 'voip profile'.

However, the same 'log-violations' option exists in the SCCP ALG handler as well.

 

Below is an example with both loggers enabled:

 

config voip profile

    edit "default"

        set comment "Default VoIP profile."

        config sip

            set log-violations enable

        end

        config sccp

            set log-violations enable

        end

    next

end

 

  1. Logs should now be visible.

 

In the GUI (with an example):

 

xsilver_FTNT_0-1654592476044.png

 

(Note that the location of the VoIP log in the GUI slightly changed. As of version 7.2.4++, the VoIP section is under Security Events.)

 

 

voip-log-security-events_FOS-7.2.5.jpg

 

 

 

CLI example:

 

exec log filter reset

exec log filter category 8

exec log display

1 logs found.

1 logs returned.

 

1: date=2022-03-01 time=09:42:43 eventtime=1646124163918217418 tz="+0100" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="root" session_id=15999012 epoch=0 event_id=5 srcip=10.42.XXX.YYY  src_port=34873 dstip=172.AAA.BBB.CCC dst_port=5060 proto=17 src_int="N/A" dst_int="EMEA-XXX" policy_id=17 profile="default" voip_proto="sip" kind="register" action="permit" status="succeeded" duration=0 dir="session_origin" call_id="AKVHo8USVyfAe7rDE5t7HQ.." from="sip:6XXXXXX@172.AAA.BBB.CCC;transport=UDP" to="sip:6XXXXXX@172.AAA.BBB.CCC;transport=UDP"

#

 

Those logs will assist with diagnosing the causes of blocked messages in SIP/SCCP proxy stats.
And also helps you to trace unintended VoIP traffic flows, or troubleshoot other related issues.

 

For example:

xsilver_FTNT_2-1654593007417.png

 

Final notes.


ALG inside FortiOS uses this 'default' VoIP profile as the default/implicit profile whenever it is in stream and needs to handle SIP / SCCP, but there is no explicitly stated 'set voip-profile <name>' in the firewall policy. This is the case as of version 5.


When creating new VoIP profiles, apply them as 'set voip-profile' into firewall policies previously made to handle VoIP traffic. Take care to also modify the 'default' VoIP profile and set it to log all violations. Then, if it will be used by ALG as an implicit profile, it will be possible to track the overflows and unintended flows when some of the VoIP flows through policies which were not intended to be used.

FortiOS 7 introduced flow based policies ('set inspection-mode flow') as the default state and IPS is a default handler for those. Pay extra attention to inspection modes. It is recommended to set the inspection to proxy and always use explicitly stated VoIP profiles in policies expected to handle the traffic.

 

Related documents:
8715
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.