VoIP profiles
You can customize the default VoIP profile or add new VoIP profiles.
To add a new VoIP profile from the GUI go to Security Profiles > VoIP and select Create New (the + button).
For SIP, from the GUI you can configure the VoIP profile to limit the number of SIP REGISTER and INVITE requests. Many additional options for configuring how the ALG processes SIP sessions are available from the CLI.
For SCCP you can limit the call setup time. Additional SCCP options are available from the CLI.
Use the following command to add a VoIP profile named VoIP_Pro_1 from the CLI:
config voip profile
edit VoIP_Pro_1
end
FortiGates include two pre-defined VoIP profiles. On the GUI these profiles look identical. However, the CLI-only settings result in the following functionality.
default |
The most commonly used VoIP profile. This profile enables both SIP and SCCP and places the minimum restrictions on what calls will be allowed to negotiate. This profile allows normal SCCP, SIP and RTP sessions and enables the following security settings:
|
strict |
This profile is available for users who want to validate SIP messages and to only allow SIP sessions that are compliant with RFC 3261. In addition to the settings in the default VoIP profile, the strict profile sets all SIP deep message inspection header checking options (for example, malformed-request-line and many others) to discard . So the strict profile blocks and drops SIP messages that contain malformed SIP or SDP lines that can be detected by the ALG. For more information about SIP deep header inspection, see Deep SIP message inspection.
|
Neither of the default profiles applies SIP rate limiting. To apply more ALG features to SIP sessions you can clone (copy) the pre-defined VoIP profiles and make your own modifications to them. You can clone VoIP profiles from the GUI or the CLI. For example, from the CLI, to clone the default profile and configure the limit for SIP NOTIFY request messages to 1000 messages per second per security policy and block SIP INFO request messages.
config voip profile
clone default to my_voip_pro
edit my_voip_pro
config sip
set notify-rate 1000
set block-info enable
end
end