Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

voip profile

Use this command to add VoIP profiles for SIP, SIMPLE, and SCCP. To apply the SIP ALG, you add a VoIP profile to a firewall policy that accepts SIP sessions. All SIP sessions accepted by the firewall policy will be processed by the SIP ALG using the settings in the VoIP profile. You configure SIP and SCCP settings separately. SIP settings also apply to SIMPLE sessions.

CLI Syntax

config voip profile
    edit {name}
    # Configure VoIP profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Comment. size[255]
        config sip
            set status {disable | enable}   Enable/disable SIP.
            set rtp {disable | enable}   Enable/disable create pinholes for RTP traffic to traverse firewall.
            set open-register-pinhole {disable | enable}   Enable/disable open pinhole for REGISTER Contact port.
            set open-contact-pinhole {disable | enable}   Enable/disable open pinhole for non-REGISTER Contact port.
            set strict-register {disable | enable}   Enable/disable only allow the registrar to connect.
            set register-rate {integer}   REGISTER request rate limit (per second, per policy). range[0-4294967295]
            set invite-rate {integer}   INVITE request rate limit (per second, per policy). range[0-4294967295]
            set max-dialogs {integer}   Maximum number of concurrent calls/dialogs (per policy). range[0-4294967295]
            set max-line-length {integer}   Maximum SIP header line length (78-4096). range[78-4096]
            set block-long-lines {disable | enable}   Enable/disable block requests with headers exceeding max-line-length.
            set block-unknown {disable | enable}   Block unrecognized SIP requests (enabled by default).
            set call-keepalive {integer}   Continue tracking calls with no RTP for this many minutes. range[0-10080]
            set block-ack {disable | enable}   Enable/disable block ACK requests.
            set block-bye {disable | enable}   Enable/disable block BYE requests.
            set block-cancel {disable | enable}   Enable/disable block CANCEL requests.
            set block-info {disable | enable}   Enable/disable block INFO requests.
            set block-invite {disable | enable}   Enable/disable block INVITE requests.
            set block-message {disable | enable}   Enable/disable block MESSAGE requests.
            set block-notify {disable | enable}   Enable/disable block NOTIFY requests.
            set block-options {disable | enable}   Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
            set block-prack {disable | enable}   Enable/disable block prack requests.
            set block-publish {disable | enable}   Enable/disable block PUBLISH requests.
            set block-refer {disable | enable}   Enable/disable block REFER requests.
            set block-register {disable | enable}   Enable/disable block REGISTER requests.
            set block-subscribe {disable | enable}   Enable/disable block SUBSCRIBE requests.
            set block-update {disable | enable}   Enable/disable block UPDATE requests.
            set register-contact-trace {disable | enable}   Enable/disable trace original IP/port within the contact header of REGISTER requests.
            set open-via-pinhole {disable | enable}   Enable/disable open pinhole for Via port.
            set open-record-route-pinhole {disable | enable}   Enable/disable open pinhole for Record-Route port.
            set rfc2543-branch {disable | enable}   Enable/disable support via branch compliant with RFC 2543.
            set log-violations {disable | enable}   Enable/disable logging of SIP violations.
            set log-call-summary {disable | enable}   Enable/disable logging of SIP call summary.
            set nat-trace {disable | enable}   Enable/disable preservation of original IP in SDP i line.
            set subscribe-rate {integer}   SUBSCRIBE request rate limit (per second, per policy). range[0-4294967295]
            set message-rate {integer}   MESSAGE request rate limit (per second, per policy). range[0-4294967295]
            set notify-rate {integer}   NOTIFY request rate limit (per second, per policy). range[0-4294967295]
            set refer-rate {integer}   REFER request rate limit (per second, per policy). range[0-4294967295]
            set update-rate {integer}   UPDATE request rate limit (per second, per policy). range[0-4294967295]
            set options-rate {integer}   OPTIONS request rate limit (per second, per policy). range[0-4294967295]
            set ack-rate {integer}   ACK request rate limit (per second, per policy). range[0-4294967295]
            set prack-rate {integer}   PRACK request rate limit (per second, per policy). range[0-4294967295]
            set info-rate {integer}   INFO request rate limit (per second, per policy). range[0-4294967295]
            set publish-rate {integer}   PUBLISH request rate limit (per second, per policy). range[0-4294967295]
            set bye-rate {integer}   BYE request rate limit (per second, per policy). range[0-4294967295]
            set cancel-rate {integer}   CANCEL request rate limit (per second, per policy). range[0-4294967295]
            set preserve-override {disable | enable}   Override i line to preserve original IPS (default: append).
            set no-sdp-fixup {disable | enable}   Enable/disable no SDP fix-up.
            set contact-fixup {disable | enable}   Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
            set max-idle-dialogs {integer}   Maximum number established but idle dialogs to retain (per policy). range[0-4294967295]
            set block-geo-red-options {disable | enable}   Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
            set hosted-nat-traversal {disable | enable}   Hosted NAT Traversal (HNT).
            set hnt-restrict-source-ip {disable | enable}   Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
            set max-body-length {integer}   Maximum SIP message body length (0 meaning no limit). range[0-4294967295]
            set unknown-header {discard | pass | respond}   Action for unknown SIP header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-request-line {discard | pass | respond}   Action for malformed request line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-via {discard | pass | respond}   Action for malformed VIA header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-from {discard | pass | respond}   Action for malformed From header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-to {discard | pass | respond}   Action for malformed To header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-call-id {discard | pass | respond}   Action for malformed Call-ID header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-cseq {discard | pass | respond}   Action for malformed CSeq header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-rack {discard | pass | respond}   Action for malformed RAck header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-rseq {discard | pass | respond}   Action for malformed RSeq header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-contact {discard | pass | respond}   Action for malformed Contact header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-record-route {discard | pass | respond}   Action for malformed Record-Route header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-route {discard | pass | respond}   Action for malformed Route header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-expires {discard | pass | respond}   Action for malformed Expires header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-content-type {discard | pass | respond}   Action for malformed Content-Type header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-content-length {discard | pass | respond}   Action for malformed Content-Length header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-max-forwards {discard | pass | respond}   Action for malformed Max-Forwards header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-allow {discard | pass | respond}   Action for malformed Allow header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-p-asserted-identity {discard | pass | respond}   Action for malformed P-Asserted-Identity header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-v {discard | pass | respond}   Action for malformed SDP v line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-o {discard | pass | respond}   Action for malformed SDP o line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-s {discard | pass | respond}   Action for malformed SDP s line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-i {discard | pass | respond}   Action for malformed SDP i line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-c {discard | pass | respond}   Action for malformed SDP c line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-b {discard | pass | respond}   Action for malformed SDP b line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-z {discard | pass | respond}   Action for malformed SDP z line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-k {discard | pass | respond}   Action for malformed SDP k line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-a {discard | pass | respond}   Action for malformed SDP a line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-t {discard | pass | respond}   Action for malformed SDP t line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-r {discard | pass | respond}   Action for malformed SDP r line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-m {discard | pass | respond}   Action for malformed SDP m line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set provisional-invite-expiry-time {integer}   Expiry time for provisional INVITE (10 - 3600 sec). range[10-3600]
            set ips-rtp {disable | enable}   Enable/disable allow IPS on RTP.
            set ssl-mode {off | full}   SSL/TLS mode for encryption & decryption of traffic.
                    off   No SSL.
                    full  Client to FortiGate and FortiGate to Server SSL.
            set ssl-send-empty-frags {enable | disable}   Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
            set ssl-client-renegotiation {allow | deny | secure}   Allow/block client renegotiation by server.
                    allow   Allow a SSL client to renegotiate.
                    deny    Abort any SSL connection that attempts to renegotiate.
                    secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
            set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in negotiation.
                    high    High encryption. Allow only AES and ChaCha.
                    medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                    low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
            set ssl-pfs {require | deny | allow}   SSL Perfect Forward Secrecy.
                    require  PFS mandatory.
                    deny     PFS rejected.
                    allow    PFS allowed.
            set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version to negotiate.
                    ssl-3.0  SSL 3.0.
                    tls-1.0  TLS 1.0.
                    tls-1.1  TLS 1.1.
                    tls-1.2  TLS 1.2.
            set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version to negotiate.
                    ssl-3.0  SSL 3.0.
                    tls-1.0  TLS 1.0.
                    tls-1.1  TLS 1.1.
                    tls-1.2  TLS 1.2.
            set ssl-client-certificate {string}   Name of Certificate to offer to server if requested. size[35] - datasource(s): vpn.certificate.local.name
            set ssl-server-certificate {string}   Name of Certificate return to the client in every SSL connection. size[35] - datasource(s): vpn.certificate.local.name
            set ssl-auth-client {string}   Require a client certificate and authenticate it with the peer/peergrp. size[35] - datasource(s): user.peer.name,user.peergrp.name
            set ssl-auth-server {string}   Authenticate the server's certificate with the peer/peergrp. size[35] - datasource(s): user.peer.name,user.peergrp.name
        config sccp
            set status {disable | enable}   Enable/disable SCCP.
            set block-mcast {disable | enable}   Enable/disable block multicast RTP connections.
            set verify-header {disable | enable}   Enable/disable verify SCCP header content.
            set log-call-summary {disable | enable}   Enable/disable log summary of SCCP calls.
            set log-violations {disable | enable}   Enable/disable logging of SCCP violations.
            set max-calls {integer}   Maximum calls per minute per SCCP client (max 65535). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

config sip

Configure VoIP profile settings for SIP (and SIMPLE).

rtp {enable | disable}

Enable or disable opening pinholes for RTP traffic to traverse FortiGate unit. Enabled by default.

open-register-pinhole {enable | disable}

Enable or disable opening a pinhole for the port number specified in SIP REGISTER message Contact header line. Enabled by default.

open-contact-pinhole {enable | disable}

Enable or disable opening a pinhole for the port number specified in a Contact header line in any SIP message except a SIP REGISTER message.

strict-register {enable | disable}

Controls how pinholes are opened to allow traffic from a SIP server to pass through the FortiGate unit. If enabled the SIP ALG opens a pinhole that only accepts sessions from a single IP address (the address of the SIP server).

This option should be disabled if the SIP proxy server and SIP registrar are different entities with different IP addresses.

register-rate <rate_sec_policy_int>

Set a rate limit (per second, per policy) for SIP REGISTER requests. Set to 0 (the default) to disable rate limiting. Set to 0 by default.

invite-rate <rate_sec_policy_int>

Set a rate limit (per second, per policy) for SIP INVITE requests. Set to 0 (the default) to disable rate limiting.

max-dialogs <max_int>

Maximum number of concurrent calls (or dialogs) per policy. Set to 0 (the default) to not limit dialogs.

max-line-length <length_int>

Maximum SIP header line length. The range is 78-4096 characters. If a SIP message contains a line that exceeds the maximum line length a log message is recorded. If block-long-lines is enabled the message is blocked and the FortiGate unit returns a SIP 413 Request entity too large SIP response message. Default length is 998.

block-long-lines {enable | disable}

Enable or disable blocking SIP request messages with a header or body line that exceeds the max-linelength. Enabled by default.

block-unknown {enable | disable}

Block unrecognized SIP request messages. Enabledby default.

call-keepalive <keepalive_time>

Continue tracking calls with no RTP sessions for this many minutes. Terminate the call if the time limit is exceeded. Range is 1 and 10,080 seconds. Set to 0 (the default) to disable. Call keep alive should be used with caution because enabling this feature results in extra FortiGate CPU overhead and can cause delay/jitter for the VoIP call. Also, the FortiGate unit terminates the call without sending SIP messages to end the call. And if the SIP endpoints send SIP messages to terminate the call they will be blocked by the FortiGate unit if they are sent after the FortiGate unit terminates the call.

reg-diff-port {enable | disable}

Enable or disable opening a pinhole for the port number included in the Via SIP message header line.Disabled by default.

rfc2543-branch {enable | disable}

Enable to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC 3261 obsoletes RFC 2543. This option also allows FortiGate units to support SIP calls that include Via headers that are missing the branch parameter. Disabled by default.

log-violations {enable | disable}

Enable or disable writing a logging message when a SIP option in a VoIP profile detects a violation in a SIP message.Disabled by default.

log-call-summary {enable | disable}

Enable or disable summary content archiving of SIP calls. Enabled by default.

nat-trace {enable | disable}

Enable or disable preserving the original source IP address of the SIP message in the i= line of the SDP profile. This option enables NAT with IP address conservation (also called SIP NAT tracing), which changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message. The SDP i= line is used for free-form text. However, if your SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment. You can use this feature for billing purposes by extracting the IP address of the originator of the message. Enabled by default.

subscribe-rate <rate_sec_policy_int>

Limit the number of SIP SUBSCRIBE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

message-rate <rate_sec_policy_int>

Limit the number of SIP MESSAGE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

notify-rate <rate_sec_policy_int>

Limit the number of SIP NOTIFY messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

refer-rate <rate_sec_policy_int>

Limit the number of SIP REFER messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

update-rate <rate_sec_policy_int>

Limit the number of SIP UPDATE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

options-rate <rate_sec_policy_int>

Limit the number of SIP OPTIONS messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

ack-rate <rate_sec_policy_int>

Limit the number of SIP ACK messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

prack-rate <rate_sec_policy_int>

Limit the number of SIP PRACK messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

info-rate <rate_sec_policy_int>

Limit the number of SIP INFO messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

publish-rate <rate_sec_policy_int>

Limit the number of SIP PUBLISH messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

bye-rate <rate_sec_policy_int>

Limit the number of SIP BYE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

cancel-rate <rate_sec_policy_int>

Limit the number of SIP CANCEL messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

preserve-override {enable | disable}

Enable or disable adding the original o= line of a SIP message to the end of the i= line or replace the i= line in the original message with a new i= line. This command is used for SIP IP address conservation. Disabled by default.

no-sdp-fixup {enable | disable}

Enable or disable not performing NAT on addresses in the SDP lines of the SIP message body. This option is disabled by default and the FortiGate unit performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate unit to perform NAT on the addresses in SDP lines. Disabled by default.

contact-fixup {enable | disable}

Enable or disable performing NAT on the IP addresses and port numbers in the headers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers. Enabled by default.

max-idle-dialogs <dialogs_perpolicy_int>

Specify the maximum number of established but idle dialogs to retain (per policy). Set to 0 (the default) to disable.

Idle dialogs would usually be dialogs that have been interrupted because of errors or problems or as the result of a SIP attack that opens a large number of SIP dialogs without closing them. This command provides a way to remove these dialogs from the dialog table and recover memory and resources being used by these open and idle dialogs.

block-geo-red-options {enable | disable}

Block OPTIONS requests, but OPTIONS requests still notify for redundancy. Disabled by default.

hosted-nat-traversal {enable | disable}

Enable or disable support for hosted NAT Traversal (HNT). HNT has different requirements for address translation. Disabled by default.

hnt-restrict-source-ip {enable | disable}

Restrict RTP source IP to be the same as SIP source IP when HNT is enabled. Disabled by default.

max-body-length <size_bytes_int>

Specify the maximum size of a SIP message body in bytes that will be processed by the SIP ALG. Larger messages are discarded. Set to 0 (the default) for no limit. This option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP messages are of variable size and the message size can change with the addition of Via and Record-Route headers.

unknown-header {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message with an unknown header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-request-line {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed request line (the first line in a SIP request message). Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-via {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Via header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations enabled. Set to pass by default.

malformed-header-from {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed From header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations enabled. Set to pass by default.

malformed-header-to {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed To header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-call-id {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Call ID header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-cseq {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed CSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-rack {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Rack header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-rseq {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed RSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contact {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Contact header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-recordroute {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Record- Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-route {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-expires {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Expires header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contenttype {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content- Type header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contentlength {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content-Length header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-maxforwards {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message with a malformed Maxforwards header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-allow {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Allow header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.

malformed-header-p-asserted-identity {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed PAsserted- Identity header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-v {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed v= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-o {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed o= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-s {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed s= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-i {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed i= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-c {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed c= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-b {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed b= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-z {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed z= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-k {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed k= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-a {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed a= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and logviolations is enabled. Set to pass by default.

malformed-header-sdp-t {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed t= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-r {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed r= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-m {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed m= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and logviolations is enabled. Set to pass by default.

ips-rtp {enable | disable}

Enable to have RTP traffic inherit the IPS setting from the SIP firewall policy. Disable if IPS slows down RTP traffic, which might occur if there is a high volume of RTP traffic. Also if the traffic is using NP accelerated interfaces, enabling IPS means that the RTP traffic cannot be accelerated by NP interface acceleration. Enabled by default.

provisional-invite-expirytime <time_int>

The expiry time in seconds to wait for provisional INVITE requests. The range is 10-3600 seconds. The default is 210 seconds.

ssl-mode {off | full}

Select SSL mode:

full client-to-FortiGate and FortiGate-to-client

off (default) no SSL

ssl-algorithm {high | medium | low)

Select SSL algorithm strength:

high (default) AES or 3DES

medium AES, 3DES, RC4, or DES

low AES, 3DES, or RC4

ssl-auth-client <peer_group>

Require a client certificate and authenticate it with the peer or peergrp.

ssl-auth-server <peer_group>

Authenticate the server certificate with the peer or peergrp.

ssl-client-certificate <cert_name>

Select the certificate to use for client authentication.

ssl-client-renegotiation {allow | deny | secure}

Select the client renegotiation policy:

allow (default) allow SSL client to renegotiate

deny reject any attempt to renegotiate

secure reject any renegotiation attempt that does not offer a RFC 5746 Secure Regotiation Indication

ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}

Select the minimum SSL/TLS version to accept. Default is ssl-3.0.

ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}

Select the maximum SSL/TLS version to accept. Default is tls-1.1.

ssl-pfs {require | allow | deny}

Set policy for Perfect Forward Secrecy (PFS).Default is allow.

ssl-send-empty-frags {enable | disable}

Enable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only). Enabled by default.

ssl-server-certificate <cert_name>

Select the certificate to use for server authentication.

config sccp

Configure VoIP profile settings for SCCP.

block-mcast {enable | disable}

Enable or disable blocking multicast RTP connections. Disabled by default.

verify-header {enable | disable}

Enable or disable verifying SCCP header content. Disabled by default.

log-call-summary {disable | enable}

Enable or disable summary content archiving of SCCP calls. Enabled by default.

log-violations {disable | enable}

Enable or disable writing a logging message when a SIP option in a VoIP profile detects a violation in a SIP message. Disabled by default.

max-calls <calls_int>

Enter the maximum number of calls per minute per SCCP client. The range is 1 to 65535. Set to 0 (the default) to disable limiting the number of calls.

 

 

 

voip profile

Use this command to add VoIP profiles for SIP, SIMPLE, and SCCP. To apply the SIP ALG, you add a VoIP profile to a firewall policy that accepts SIP sessions. All SIP sessions accepted by the firewall policy will be processed by the SIP ALG using the settings in the VoIP profile. You configure SIP and SCCP settings separately. SIP settings also apply to SIMPLE sessions.

CLI Syntax

config voip profile
    edit {name}
    # Configure VoIP profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Comment. size[255]
        config sip
            set status {disable | enable}   Enable/disable SIP.
            set rtp {disable | enable}   Enable/disable create pinholes for RTP traffic to traverse firewall.
            set open-register-pinhole {disable | enable}   Enable/disable open pinhole for REGISTER Contact port.
            set open-contact-pinhole {disable | enable}   Enable/disable open pinhole for non-REGISTER Contact port.
            set strict-register {disable | enable}   Enable/disable only allow the registrar to connect.
            set register-rate {integer}   REGISTER request rate limit (per second, per policy). range[0-4294967295]
            set invite-rate {integer}   INVITE request rate limit (per second, per policy). range[0-4294967295]
            set max-dialogs {integer}   Maximum number of concurrent calls/dialogs (per policy). range[0-4294967295]
            set max-line-length {integer}   Maximum SIP header line length (78-4096). range[78-4096]
            set block-long-lines {disable | enable}   Enable/disable block requests with headers exceeding max-line-length.
            set block-unknown {disable | enable}   Block unrecognized SIP requests (enabled by default).
            set call-keepalive {integer}   Continue tracking calls with no RTP for this many minutes. range[0-10080]
            set block-ack {disable | enable}   Enable/disable block ACK requests.
            set block-bye {disable | enable}   Enable/disable block BYE requests.
            set block-cancel {disable | enable}   Enable/disable block CANCEL requests.
            set block-info {disable | enable}   Enable/disable block INFO requests.
            set block-invite {disable | enable}   Enable/disable block INVITE requests.
            set block-message {disable | enable}   Enable/disable block MESSAGE requests.
            set block-notify {disable | enable}   Enable/disable block NOTIFY requests.
            set block-options {disable | enable}   Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
            set block-prack {disable | enable}   Enable/disable block prack requests.
            set block-publish {disable | enable}   Enable/disable block PUBLISH requests.
            set block-refer {disable | enable}   Enable/disable block REFER requests.
            set block-register {disable | enable}   Enable/disable block REGISTER requests.
            set block-subscribe {disable | enable}   Enable/disable block SUBSCRIBE requests.
            set block-update {disable | enable}   Enable/disable block UPDATE requests.
            set register-contact-trace {disable | enable}   Enable/disable trace original IP/port within the contact header of REGISTER requests.
            set open-via-pinhole {disable | enable}   Enable/disable open pinhole for Via port.
            set open-record-route-pinhole {disable | enable}   Enable/disable open pinhole for Record-Route port.
            set rfc2543-branch {disable | enable}   Enable/disable support via branch compliant with RFC 2543.
            set log-violations {disable | enable}   Enable/disable logging of SIP violations.
            set log-call-summary {disable | enable}   Enable/disable logging of SIP call summary.
            set nat-trace {disable | enable}   Enable/disable preservation of original IP in SDP i line.
            set subscribe-rate {integer}   SUBSCRIBE request rate limit (per second, per policy). range[0-4294967295]
            set message-rate {integer}   MESSAGE request rate limit (per second, per policy). range[0-4294967295]
            set notify-rate {integer}   NOTIFY request rate limit (per second, per policy). range[0-4294967295]
            set refer-rate {integer}   REFER request rate limit (per second, per policy). range[0-4294967295]
            set update-rate {integer}   UPDATE request rate limit (per second, per policy). range[0-4294967295]
            set options-rate {integer}   OPTIONS request rate limit (per second, per policy). range[0-4294967295]
            set ack-rate {integer}   ACK request rate limit (per second, per policy). range[0-4294967295]
            set prack-rate {integer}   PRACK request rate limit (per second, per policy). range[0-4294967295]
            set info-rate {integer}   INFO request rate limit (per second, per policy). range[0-4294967295]
            set publish-rate {integer}   PUBLISH request rate limit (per second, per policy). range[0-4294967295]
            set bye-rate {integer}   BYE request rate limit (per second, per policy). range[0-4294967295]
            set cancel-rate {integer}   CANCEL request rate limit (per second, per policy). range[0-4294967295]
            set preserve-override {disable | enable}   Override i line to preserve original IPS (default: append).
            set no-sdp-fixup {disable | enable}   Enable/disable no SDP fix-up.
            set contact-fixup {disable | enable}   Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
            set max-idle-dialogs {integer}   Maximum number established but idle dialogs to retain (per policy). range[0-4294967295]
            set block-geo-red-options {disable | enable}   Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
            set hosted-nat-traversal {disable | enable}   Hosted NAT Traversal (HNT).
            set hnt-restrict-source-ip {disable | enable}   Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
            set max-body-length {integer}   Maximum SIP message body length (0 meaning no limit). range[0-4294967295]
            set unknown-header {discard | pass | respond}   Action for unknown SIP header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-request-line {discard | pass | respond}   Action for malformed request line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-via {discard | pass | respond}   Action for malformed VIA header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-from {discard | pass | respond}   Action for malformed From header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-to {discard | pass | respond}   Action for malformed To header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-call-id {discard | pass | respond}   Action for malformed Call-ID header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-cseq {discard | pass | respond}   Action for malformed CSeq header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-rack {discard | pass | respond}   Action for malformed RAck header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-rseq {discard | pass | respond}   Action for malformed RSeq header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-contact {discard | pass | respond}   Action for malformed Contact header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-record-route {discard | pass | respond}   Action for malformed Record-Route header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-route {discard | pass | respond}   Action for malformed Route header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-expires {discard | pass | respond}   Action for malformed Expires header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-content-type {discard | pass | respond}   Action for malformed Content-Type header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-content-length {discard | pass | respond}   Action for malformed Content-Length header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-max-forwards {discard | pass | respond}   Action for malformed Max-Forwards header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-allow {discard | pass | respond}   Action for malformed Allow header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-p-asserted-identity {discard | pass | respond}   Action for malformed P-Asserted-Identity header.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-v {discard | pass | respond}   Action for malformed SDP v line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-o {discard | pass | respond}   Action for malformed SDP o line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-s {discard | pass | respond}   Action for malformed SDP s line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-i {discard | pass | respond}   Action for malformed SDP i line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-c {discard | pass | respond}   Action for malformed SDP c line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-b {discard | pass | respond}   Action for malformed SDP b line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-z {discard | pass | respond}   Action for malformed SDP z line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-k {discard | pass | respond}   Action for malformed SDP k line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-a {discard | pass | respond}   Action for malformed SDP a line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-t {discard | pass | respond}   Action for malformed SDP t line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-r {discard | pass | respond}   Action for malformed SDP r line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set malformed-header-sdp-m {discard | pass | respond}   Action for malformed SDP m line.
                    discard  Discard malformed messages.
                    pass     Bypass malformed messages.
                    respond  Respond with error code.
            set provisional-invite-expiry-time {integer}   Expiry time for provisional INVITE (10 - 3600 sec). range[10-3600]
            set ips-rtp {disable | enable}   Enable/disable allow IPS on RTP.
            set ssl-mode {off | full}   SSL/TLS mode for encryption & decryption of traffic.
                    off   No SSL.
                    full  Client to FortiGate and FortiGate to Server SSL.
            set ssl-send-empty-frags {enable | disable}   Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
            set ssl-client-renegotiation {allow | deny | secure}   Allow/block client renegotiation by server.
                    allow   Allow a SSL client to renegotiate.
                    deny    Abort any SSL connection that attempts to renegotiate.
                    secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
            set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in negotiation.
                    high    High encryption. Allow only AES and ChaCha.
                    medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                    low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
            set ssl-pfs {require | deny | allow}   SSL Perfect Forward Secrecy.
                    require  PFS mandatory.
                    deny     PFS rejected.
                    allow    PFS allowed.
            set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version to negotiate.
                    ssl-3.0  SSL 3.0.
                    tls-1.0  TLS 1.0.
                    tls-1.1  TLS 1.1.
                    tls-1.2  TLS 1.2.
            set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version to negotiate.
                    ssl-3.0  SSL 3.0.
                    tls-1.0  TLS 1.0.
                    tls-1.1  TLS 1.1.
                    tls-1.2  TLS 1.2.
            set ssl-client-certificate {string}   Name of Certificate to offer to server if requested. size[35] - datasource(s): vpn.certificate.local.name
            set ssl-server-certificate {string}   Name of Certificate return to the client in every SSL connection. size[35] - datasource(s): vpn.certificate.local.name
            set ssl-auth-client {string}   Require a client certificate and authenticate it with the peer/peergrp. size[35] - datasource(s): user.peer.name,user.peergrp.name
            set ssl-auth-server {string}   Authenticate the server's certificate with the peer/peergrp. size[35] - datasource(s): user.peer.name,user.peergrp.name
        config sccp
            set status {disable | enable}   Enable/disable SCCP.
            set block-mcast {disable | enable}   Enable/disable block multicast RTP connections.
            set verify-header {disable | enable}   Enable/disable verify SCCP header content.
            set log-call-summary {disable | enable}   Enable/disable log summary of SCCP calls.
            set log-violations {disable | enable}   Enable/disable logging of SCCP violations.
            set max-calls {integer}   Maximum calls per minute per SCCP client (max 65535). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

config sip

Configure VoIP profile settings for SIP (and SIMPLE).

rtp {enable | disable}

Enable or disable opening pinholes for RTP traffic to traverse FortiGate unit. Enabled by default.

open-register-pinhole {enable | disable}

Enable or disable opening a pinhole for the port number specified in SIP REGISTER message Contact header line. Enabled by default.

open-contact-pinhole {enable | disable}

Enable or disable opening a pinhole for the port number specified in a Contact header line in any SIP message except a SIP REGISTER message.

strict-register {enable | disable}

Controls how pinholes are opened to allow traffic from a SIP server to pass through the FortiGate unit. If enabled the SIP ALG opens a pinhole that only accepts sessions from a single IP address (the address of the SIP server).

This option should be disabled if the SIP proxy server and SIP registrar are different entities with different IP addresses.

register-rate <rate_sec_policy_int>

Set a rate limit (per second, per policy) for SIP REGISTER requests. Set to 0 (the default) to disable rate limiting. Set to 0 by default.

invite-rate <rate_sec_policy_int>

Set a rate limit (per second, per policy) for SIP INVITE requests. Set to 0 (the default) to disable rate limiting.

max-dialogs <max_int>

Maximum number of concurrent calls (or dialogs) per policy. Set to 0 (the default) to not limit dialogs.

max-line-length <length_int>

Maximum SIP header line length. The range is 78-4096 characters. If a SIP message contains a line that exceeds the maximum line length a log message is recorded. If block-long-lines is enabled the message is blocked and the FortiGate unit returns a SIP 413 Request entity too large SIP response message. Default length is 998.

block-long-lines {enable | disable}

Enable or disable blocking SIP request messages with a header or body line that exceeds the max-linelength. Enabled by default.

block-unknown {enable | disable}

Block unrecognized SIP request messages. Enabledby default.

call-keepalive <keepalive_time>

Continue tracking calls with no RTP sessions for this many minutes. Terminate the call if the time limit is exceeded. Range is 1 and 10,080 seconds. Set to 0 (the default) to disable. Call keep alive should be used with caution because enabling this feature results in extra FortiGate CPU overhead and can cause delay/jitter for the VoIP call. Also, the FortiGate unit terminates the call without sending SIP messages to end the call. And if the SIP endpoints send SIP messages to terminate the call they will be blocked by the FortiGate unit if they are sent after the FortiGate unit terminates the call.

reg-diff-port {enable | disable}

Enable or disable opening a pinhole for the port number included in the Via SIP message header line.Disabled by default.

rfc2543-branch {enable | disable}

Enable to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC 3261 obsoletes RFC 2543. This option also allows FortiGate units to support SIP calls that include Via headers that are missing the branch parameter. Disabled by default.

log-violations {enable | disable}

Enable or disable writing a logging message when a SIP option in a VoIP profile detects a violation in a SIP message.Disabled by default.

log-call-summary {enable | disable}

Enable or disable summary content archiving of SIP calls. Enabled by default.

nat-trace {enable | disable}

Enable or disable preserving the original source IP address of the SIP message in the i= line of the SDP profile. This option enables NAT with IP address conservation (also called SIP NAT tracing), which changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message. The SDP i= line is used for free-form text. However, if your SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment. You can use this feature for billing purposes by extracting the IP address of the originator of the message. Enabled by default.

subscribe-rate <rate_sec_policy_int>

Limit the number of SIP SUBSCRIBE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

message-rate <rate_sec_policy_int>

Limit the number of SIP MESSAGE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

notify-rate <rate_sec_policy_int>

Limit the number of SIP NOTIFY messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

refer-rate <rate_sec_policy_int>

Limit the number of SIP REFER messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

update-rate <rate_sec_policy_int>

Limit the number of SIP UPDATE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

options-rate <rate_sec_policy_int>

Limit the number of SIP OPTIONS messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

ack-rate <rate_sec_policy_int>

Limit the number of SIP ACK messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

prack-rate <rate_sec_policy_int>

Limit the number of SIP PRACK messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

info-rate <rate_sec_policy_int>

Limit the number of SIP INFO messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

publish-rate <rate_sec_policy_int>

Limit the number of SIP PUBLISH messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

bye-rate <rate_sec_policy_int>

Limit the number of SIP BYE messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

cancel-rate <rate_sec_policy_int>

Limit the number of SIP CANCEL messages per second per policy that the FortiGate unit accepts. Set to 0 (the default) to disable rate limiting.

preserve-override {enable | disable}

Enable or disable adding the original o= line of a SIP message to the end of the i= line or replace the i= line in the original message with a new i= line. This command is used for SIP IP address conservation. Disabled by default.

no-sdp-fixup {enable | disable}

Enable or disable not performing NAT on addresses in the SDP lines of the SIP message body. This option is disabled by default and the FortiGate unit performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate unit to perform NAT on the addresses in SDP lines. Disabled by default.

contact-fixup {enable | disable}

Enable or disable performing NAT on the IP addresses and port numbers in the headers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers. Enabled by default.

max-idle-dialogs <dialogs_perpolicy_int>

Specify the maximum number of established but idle dialogs to retain (per policy). Set to 0 (the default) to disable.

Idle dialogs would usually be dialogs that have been interrupted because of errors or problems or as the result of a SIP attack that opens a large number of SIP dialogs without closing them. This command provides a way to remove these dialogs from the dialog table and recover memory and resources being used by these open and idle dialogs.

block-geo-red-options {enable | disable}

Block OPTIONS requests, but OPTIONS requests still notify for redundancy. Disabled by default.

hosted-nat-traversal {enable | disable}

Enable or disable support for hosted NAT Traversal (HNT). HNT has different requirements for address translation. Disabled by default.

hnt-restrict-source-ip {enable | disable}

Restrict RTP source IP to be the same as SIP source IP when HNT is enabled. Disabled by default.

max-body-length <size_bytes_int>

Specify the maximum size of a SIP message body in bytes that will be processed by the SIP ALG. Larger messages are discarded. Set to 0 (the default) for no limit. This option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP messages are of variable size and the message size can change with the addition of Via and Record-Route headers.

unknown-header {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message with an unknown header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-request-line {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed request line (the first line in a SIP request message). Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-via {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Via header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations enabled. Set to pass by default.

malformed-header-from {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed From header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations enabled. Set to pass by default.

malformed-header-to {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed To header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-call-id {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Call ID header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-cseq {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed CSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-rack {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Rack header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-rseq {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed RSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contact {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Contact header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-recordroute {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Record- Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-route {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-expires {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Expires header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contenttype {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content- Type header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-contentlength {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content-Length header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-maxforwards {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message with a malformed Maxforwards header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-allow {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Allow header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.

malformed-header-p-asserted-identity {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed PAsserted- Identity header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-v {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed v= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-o {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed o= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-s {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed s= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-i {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed i= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-c {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed c= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-b {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed b= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-z {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed z= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-k {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed k= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-a {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed a= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and logviolations is enabled. Set to pass by default.

malformed-header-sdp-t {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed t= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-r {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed r= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled. Set to pass by default.

malformed-header-sdp-m {discard | pass | respond}

Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed m= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and logviolations is enabled. Set to pass by default.

ips-rtp {enable | disable}

Enable to have RTP traffic inherit the IPS setting from the SIP firewall policy. Disable if IPS slows down RTP traffic, which might occur if there is a high volume of RTP traffic. Also if the traffic is using NP accelerated interfaces, enabling IPS means that the RTP traffic cannot be accelerated by NP interface acceleration. Enabled by default.

provisional-invite-expirytime <time_int>

The expiry time in seconds to wait for provisional INVITE requests. The range is 10-3600 seconds. The default is 210 seconds.

ssl-mode {off | full}

Select SSL mode:

full client-to-FortiGate and FortiGate-to-client

off (default) no SSL

ssl-algorithm {high | medium | low)

Select SSL algorithm strength:

high (default) AES or 3DES

medium AES, 3DES, RC4, or DES

low AES, 3DES, or RC4

ssl-auth-client <peer_group>

Require a client certificate and authenticate it with the peer or peergrp.

ssl-auth-server <peer_group>

Authenticate the server certificate with the peer or peergrp.

ssl-client-certificate <cert_name>

Select the certificate to use for client authentication.

ssl-client-renegotiation {allow | deny | secure}

Select the client renegotiation policy:

allow (default) allow SSL client to renegotiate

deny reject any attempt to renegotiate

secure reject any renegotiation attempt that does not offer a RFC 5746 Secure Regotiation Indication

ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}

Select the minimum SSL/TLS version to accept. Default is ssl-3.0.

ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}

Select the maximum SSL/TLS version to accept. Default is tls-1.1.

ssl-pfs {require | allow | deny}

Set policy for Perfect Forward Secrecy (PFS).Default is allow.

ssl-send-empty-frags {enable | disable}

Enable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only). Enabled by default.

ssl-server-certificate <cert_name>

Select the certificate to use for server authentication.

config sccp

Configure VoIP profile settings for SCCP.

block-mcast {enable | disable}

Enable or disable blocking multicast RTP connections. Disabled by default.

verify-header {enable | disable}

Enable or disable verifying SCCP header content. Disabled by default.

log-call-summary {disable | enable}

Enable or disable summary content archiving of SCCP calls. Enabled by default.

log-violations {disable | enable}

Enable or disable writing a logging message when a SIP option in a VoIP profile detects a violation in a SIP message. Disabled by default.

max-calls <calls_int>

Enter the maximum number of calls per minute per SCCP client. The range is 1 to 65535. Set to 0 (the default) to disable limiting the number of calls.