This article describes how to disable SIP-inspection on FortiGate and what are the consequences.
In most cases, Fortinet recommends the use of SIP/SCCP proxy/ALG (called SIP-ALG even though it does not handle only SIP traffic).
The alternative in FortiGate is SIP-helper (obsolete, provides very basic pinhole opening service).
In some cases, other vendors recommend disabling the SIP inspection altogether on the FortiGate (please note the date and FortiGate model of those outdated articles!!).
DO NOT DISABLE SIP INSPECTION UNLESS ALL THE IMPLICATIONS ARE UNDERSTOOD.
MOST CERTAINLY, THIS IS NOT THE FIRST TROUBLESHOOTING ACTION TO TAKE!
Use of an Application Layer Gateway (ALG), allows for:
1) Modification of IP addresses in the application payload when NAT is used.
2) Dynamic opening of data ports ('pinholes') as required to allow audio traffic. Otherwise, sip-helper can open these ports on a very basic Layer4 logic, or firewall policies need to statically open a wide range of ports for RTP/audio (through a VIP).
3) Inspection and logging of VoIP traffic
For more details on the benefits of the SIP ALG in FortiOS, as well as information on how to troubleshoot SIP issues, consult the VoIP Solutions of the FortiOS handbook.
This is available in the Fortinet Document Library.
This article explains how to disable the use of SIP or SCCP proxy/ALG and/or session-helper. In this mode, FortiGate will be acting as a basic firewall. Reasons to disable VoIP inspection might include:
1) Troubleshooting (to isolate the problem).
2) As a workaround, either to address incorrect FortiGate SIP ALG behavior or to allow non-standard SIP handling in the overall VoIP deployment.
Since FortiOS 5.2, the FortiOS default is for all SIP traffic to be handled by the FortiOS proxy/ALG.
In FortiOS 5.0, if VoIP profile is not applied, the SIP session helper will be applied.
In preparation for removing SIP proxy & session helper functionality, two steps are required.
1) Modify the local SIP server (if NAT is used).
If the SIP traffic is NAT'd when passing through the FortiGate, the SIP server must be configured to use its public IP address in the application header. All other VoIP equipment must also refer to the SIP server by its public IP.
2) Open up corresponding audio ports through VIP on the FortiGate.
Firewall policies must now explicitly allow all UDP ports to be opened for the audio traffic (and not only the SIP 5060 or SCCP 2000 control ports).
Disabling SIP inspection can be done partially <disabling SIP-ALG (Layer7), keeping SIP-helper (Layer4) > or completely <disabling both>.
Note1: When a firewall policy has a voip-profile applied, SIP-ALG is used over SIP session-helper, even if disabled.
Note2: disabling SIP session-helper is only necessary if ALL the SIP inspection must be removed.
The commands associated to SIP-helper will not be relevant if the FortiGate is using SIP-ALG. Fine-tuning SIP-ALG is done through the voip profile.
Note3: Multi-vdom considerations: sip-helper is a global setting. Deleting sip-helper from global context, will make it inaccessible for all VDOMs. SIP-ALG is enabled (by default) and can be disabled per-vdom.
Below are the steps involved in disabling the SIP session-helper :
1) Removing the corresponding session helper. Check the ID of the sip session helper:
# config system session-helper
Among the displayed settings will be one similar to the following example:
set name sip
set protocol 17
set port 5060
Here entry 13 is the one which points to SIP traffic which uses UDP port 5060 for signaling.
In this example, the next commands to remove the corresponding entry would be:
Note that it is not necessary for the SIP entry to be 13, so cross verify which entry has the sip helper settings.
2) Change the default–voip–alg-mode to disable SIP-ALG.
By default, SIP-ALG is enabled, and only by the following command which can be verified with 'show full'.
# config system settings
set default-voip-alg-mode proxy-based
By running the following command, we tell the FortiGate to disable SIP-ALG (proxy-based) and use SIP-helper (kernel-helper-based):
# config system settings
set default-voip-alg-mode kernel-helper-based
NOTE1: The command 'set sip-helper enable | disable' is not designed to enable | disable sip-helper. Instead, the purpose of the command is to control whether or not the pin-hole is created in order to decrease the number of pinhole, as the command-help says:
'Enable/disable helper to add dynamic SIP firewall allow rule' // 'Enable/disable the SIP kernel session helper to create an expectation for port 5060.'
(since version 6.2.2 the CLI command is different: set sip-expectation disable)
NOTE2: The command 'sip-nat-trace enable | disable' is not designed to enable | disable sip-helper. This command is in effect ONLY when SIP session-helper is used (ONLY when 'set default-voip-alg-mode kernel-helper-based' AND 'SIP session helper is present/not deleted'). As the command-help says: 'Enable/disable recording the original SIP source IP address when NAT is used'.
3) Either clear sessions or reboot the FortiGate to ensure changes take effect
- To clear sessions
Ideally, sessions related to VoIP traffic are deleted.
However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic.
Knowing the port-range used for the audio traffic, sessions clear can be selected by first applying a filter as follows:
# diagnose system session filter ...
The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt all traffic!
# diagnose system session clear
- Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:
# execute reboot
Note: It is also possible to disable SIP-ALG from the VoIPprofile if needed.
In this case, the SIP traffic will be handled by the SIP-helper even if the default-voip-alg-mode is set to proxy-based:
This allows SCCP to be handled by SIP-ALG and SIP by sip session-helper
# config voip profile
set status disable
Special Note: Disabling SIP session helper with VDOMs enabled.
If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter, and is not available under any particular VDOM.
Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.
# config global
(global)# config system session-helper
There might be scenarios where in a particular VDOM, let’s say VDOM-A, might have to use the session-helper settings for the SIP traffic processing and VDOM-B needs to have the session-helper disabled so that SIP traffic passing through VDOM-B is not inspected by the SIP session-helper.
In such cases the below settings can be used:
# config firewall service custom
(custom) edit SIP-Helper-disable
(Helper-disable) set udp-portrange 5060
(Helper-disable) set helper disable
Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy which allows the SIP traffic.
This will make sure that the firewall does not process the SIP traffic provided the traffic hits the corresponding policy where the custom service named Helper-disable is applied.
As it is proved by some isolated cases, this last method is not the best approach, as sip-helper may be triggered by the traffic, even when the session-helper is disabled per service SIP-Helper-disable.