Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.0.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    system session-helper

    system session-helper

    FortiOS uses session helpers to process sessions that have special requirements. Session helpers function like proxies by getting information from the session and performing support functions required by the session. For example:

    • The SIP session helper looks inside SIP messages and performs NAT (if required) on the IP addresses in the SIP message and opens pinholes to allow media traffic associated with the SIP session to pass through the FortiGate unit.
    • The FTP session helper can keep track of multiple connections initiated from a single FTP session. The session helper can also permits an FTP server to actively open a connection back to a client program.
    • The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.

    The session helper configuration binds a session helper to a TCP or UDP port and protocol. When a session is accepted by a firewall policy on that port and protocol the FortiOS passes the session to the session helper configured with this command. The session is processed by the session helper.

    If your FortiGate accepts sessions that require a session helper on different ports than those defined by the session-helper configuration, then you can add more entries to the session helper configuration. Its OK to have multiple session helper configurations for a given protocol because only the matching configuration is used.

    Use the show system session-helper command to view the current session helper configuration.

    FortiOS includes the following session helpers (in the following table protocol 6 is TCP and protocol 17 is UDP):

    Session Helper Description Protocol Port
    pptp Point to point tunneling protocol (PPTP). 6 1723
    h323 H.323 protocol for for multimedia including VoIP. 6 1720
    ras Remote access service (RAS) protocol. 17 1719
    tns Oracle transparent network substrate protocol (TNS or SQLNET). 6 1521
    tftp Trivial file transfer protocol (TFTP). 17 69
    rtsp Real Time Streaming Protocol (RTSP). 6 554, 7070, 8554
    ftp File transfer protocol (FTP). 6 21
    mms Multimedia message service (MMS) protocol. 6 1863
    pmap Port mapper (PMAP) protocol. 6, 17 111
    sip Session initiation protocol (SIP) for multimedia including VoIP. 17 5060
    dns-tcp Domain name service (DNS) using the UDP protocol. 6 53
    dns-udp Domain name service (DNS) using the UDP protocol. 17 53
    rsh Remote shell protocol (RSH). 6 514, 512
    dcerpc Distributed computing environment / remote procedure calls protocol (DCE/RPC). 6, 17 135
    mgcp Media gateway control protocol (MGCP). 17 2427 
    config system session-helper
    edit {id}
    # Configure session helper.
        set id {integer}   Session helper ID. range[0-4294967295]
        set name {option}   Helper name.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set protocol {integer}   Protocol number. range[0-255]
        set port {integer}   Protocol port. range[1-65535]
    next
end
    Previous
    Next

    system session-helper

    system session-helper

    FortiOS uses session helpers to process sessions that have special requirements. Session helpers function like proxies by getting information from the session and performing support functions required by the session. For example:

    • The SIP session helper looks inside SIP messages and performs NAT (if required) on the IP addresses in the SIP message and opens pinholes to allow media traffic associated with the SIP session to pass through the FortiGate unit.
    • The FTP session helper can keep track of multiple connections initiated from a single FTP session. The session helper can also permits an FTP server to actively open a connection back to a client program.
    • The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.

    The session helper configuration binds a session helper to a TCP or UDP port and protocol. When a session is accepted by a firewall policy on that port and protocol the FortiOS passes the session to the session helper configured with this command. The session is processed by the session helper.

    If your FortiGate accepts sessions that require a session helper on different ports than those defined by the session-helper configuration, then you can add more entries to the session helper configuration. Its OK to have multiple session helper configurations for a given protocol because only the matching configuration is used.

    Use the show system session-helper command to view the current session helper configuration.

    FortiOS includes the following session helpers (in the following table protocol 6 is TCP and protocol 17 is UDP):

    Session Helper Description Protocol Port
    pptp Point to point tunneling protocol (PPTP). 6 1723
    h323 H.323 protocol for for multimedia including VoIP. 6 1720
    ras Remote access service (RAS) protocol. 17 1719
    tns Oracle transparent network substrate protocol (TNS or SQLNET). 6 1521
    tftp Trivial file transfer protocol (TFTP). 17 69
    rtsp Real Time Streaming Protocol (RTSP). 6 554, 7070, 8554
    ftp File transfer protocol (FTP). 6 21
    mms Multimedia message service (MMS) protocol. 6 1863
    pmap Port mapper (PMAP) protocol. 6, 17 111
    sip Session initiation protocol (SIP) for multimedia including VoIP. 17 5060
    dns-tcp Domain name service (DNS) using the UDP protocol. 6 53
    dns-udp Domain name service (DNS) using the UDP protocol. 17 53
    rsh Remote shell protocol (RSH). 6 514, 512
    dcerpc Distributed computing environment / remote procedure calls protocol (DCE/RPC). 6, 17 135
    mgcp Media gateway control protocol (MGCP). 17 2427 
    config system session-helper
    edit {id}
    # Configure session helper.
        set id {integer}   Session helper ID. range[0-4294967295]
        set name {option}   Helper name.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set protocol {integer}   Protocol number. range[0-255]
        set port {integer}   Protocol port. range[1-65535]
    next
end
    Previous
    Next