Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-19-2020 01:47 AM Edited on ‎08-13-2024 01:27 AM By Community Manager

Article Id 193831

Technical Tip: VOIP calls (using SIP)

Description


This article describes one possible quick-fix for SIP calls after a FortiGate is deployed in the network, when voip calls are not working.

 

Scope

 

FortiGate.

 

Solution


General considerations.

When the FortiGate (SIP-aware) is replacing a router (with no VOIP inspection), the following 2 aspects must be considered.

Registration
To allow a SIP call to establish, a phone (or softphone) must first register to a SIP server – this is done (by default) on port 5060.
SIP communication, is normally allowed (as outgoing traffic) as long as a policy exists (lan > wan). So REGISTER packet has no obstacle, as outgoing traffic.
When the SIP server is located on the internal network, or the registration is initiated by the SIP server (ie. following a https request), the port 5060 must also be opened through a VIP (wan>lan) and associated policy to be created (with VIP object referenced as destination).

Calls
For a phone call to establish, an INVITE is sent to the SIP server over port 5060. In this packet, in the SDP part, the audio port is negotiated.
The FortiGate must have visibility of this packet, check this port, and generate a 'blank' session for it (otherwise, if no session is created, the traffic is dropped upon arrival). These session are called -expectations.

Visibility > one of two mechanisms MUST be enabled: sip-helper (default until FortiOS 5.4) or SIP-ALG (default in newer versions).
With no visibility = FortiGate will not create a session-expectation and will not allow the SIP traffic.

Solution
In certain cases, as certain SIP-server vendors recommend, it is required to disable SIP inspection completely on the FortiGate.

Make sure to understand the requirements of the SIP vendor before doing this!

Disabling BOTH SIP mechanisms for opening only the required port for audio, means that the ports MUST be opened manually through a VIP.

It is necessary  to create a VIP that accommodates the range of UDP ports that is specified by your SIP provider for RTP/Audio.
Failing to do so, will likely result in one-way audio (outgoing audio is ok, cannot hear remote side).

Also need to make sure that the SIP-phone is configured to use the same accepted range of audio ports.
Failing to do so, will likely result in no audio, or one-way audio (incoming audio is ok, destination cannot hear the user).

 

Related documents:

Technical Tip: Disabling VoIP Inspection

Techincal Tip: SIP useful Commands

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: How to use the SIP ALG to prevent unwanted calls

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2

VoIP solutions
VoIP solutions

Labels:
47672
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.