Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

system session-helper

FortiOS uses session helpers to process sessions that have special requirements. Session helpers function like proxies by getting information from the session and performing support functions required by the session. For example:

  • The SIP session helper looks inside SIP messages and performs NAT (if required) on the IP addresses in the SIP message and opens pinholes to allow media traffic associated with the SIP session to pass through the FortiGate unit.
  • The FTP session helper can keep track of multiple connections initiated from a single FTP session. The session helper can also permits an FTP server to actively open a connection back to a client program.
  • The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.

The session helper configuration binds a session helper to a TCP or UDP port and protocol. When a session is accepted by a firewall policy on that port and protocol the FortiOS passes the session to the session helper configured with this command. The session is processed by the session helper.

If your FortiGate accepts sessions that require a session helper on different ports than those defined by the session-helper configuration, then you can add more entries to the session helper configuration. Its OK to have multiple session helper configurations for a given protocol because only the matching configuration is used.

Use the show system session-helper command to view the current session helper configuration.

FortiOS includes the following session helpers (in the following table protocol 6 is TCP and protocol 17 is UDP):

Session Helper Description Protocol Port
pptp Point to point tunneling protocol (PPTP). 6 1723
h323 H.323 protocol for for multimedia including VoIP. 6 1720
ras Remote access service (RAS) protocol. 17 1719
tns Oracle transparent network substrate protocol (TNS or SQLNET). 6 1521
tftp Trivial file transfer protocol (TFTP). 17 69
rtsp Real Time Streaming Protocol (RTSP). 6 554, 7070, 8554
ftp File transfer protocol (FTP). 6 21
mms Multimedia message service (MMS) protocol. 6 1863
pmap Port mapper (PMAP) protocol. 6, 17 111
sip Session initiation protocol (SIP) for multimedia including VoIP. 17 5060
dns-tcp Domain name service (DNS) using the UDP protocol. 6 53
dns-udp Domain name service (DNS) using the UDP protocol. 17 53
rsh Remote shell protocol (RSH). 6 514, 512
dcerpc Distributed computing environment / remote procedure calls protocol (DCE/RPC). 6, 17 135
mgcp Media gateway control protocol (MGCP). 17 2427
config system session-helper
    edit {id}
    # Configure session helper.
        set id {integer}   Session helper ID. range[0-4294967295]
        set name {option}   Helper name.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set protocol {integer}   Protocol number. range[0-255]
        set port {integer}   Protocol port. range[1-65535]
    next
end

system session-helper

FortiOS uses session helpers to process sessions that have special requirements. Session helpers function like proxies by getting information from the session and performing support functions required by the session. For example:

  • The SIP session helper looks inside SIP messages and performs NAT (if required) on the IP addresses in the SIP message and opens pinholes to allow media traffic associated with the SIP session to pass through the FortiGate unit.
  • The FTP session helper can keep track of multiple connections initiated from a single FTP session. The session helper can also permits an FTP server to actively open a connection back to a client program.
  • The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.

The session helper configuration binds a session helper to a TCP or UDP port and protocol. When a session is accepted by a firewall policy on that port and protocol the FortiOS passes the session to the session helper configured with this command. The session is processed by the session helper.

If your FortiGate accepts sessions that require a session helper on different ports than those defined by the session-helper configuration, then you can add more entries to the session helper configuration. Its OK to have multiple session helper configurations for a given protocol because only the matching configuration is used.

Use the show system session-helper command to view the current session helper configuration.

FortiOS includes the following session helpers (in the following table protocol 6 is TCP and protocol 17 is UDP):

Session Helper Description Protocol Port
pptp Point to point tunneling protocol (PPTP). 6 1723
h323 H.323 protocol for for multimedia including VoIP. 6 1720
ras Remote access service (RAS) protocol. 17 1719
tns Oracle transparent network substrate protocol (TNS or SQLNET). 6 1521
tftp Trivial file transfer protocol (TFTP). 17 69
rtsp Real Time Streaming Protocol (RTSP). 6 554, 7070, 8554
ftp File transfer protocol (FTP). 6 21
mms Multimedia message service (MMS) protocol. 6 1863
pmap Port mapper (PMAP) protocol. 6, 17 111
sip Session initiation protocol (SIP) for multimedia including VoIP. 17 5060
dns-tcp Domain name service (DNS) using the UDP protocol. 6 53
dns-udp Domain name service (DNS) using the UDP protocol. 17 53
rsh Remote shell protocol (RSH). 6 514, 512
dcerpc Distributed computing environment / remote procedure calls protocol (DCE/RPC). 6, 17 135
mgcp Media gateway control protocol (MGCP). 17 2427
config system session-helper
    edit {id}
    # Configure session helper.
        set id {integer}   Session helper ID. range[0-4294967295]
        set name {option}   Helper name.
                ftp      FTP.
                tftp     TFTP.
                ras      RAS.
                h323     H323.
                tns      TNS.
                mms      MMS.
                sip      SIP.
                pptp     PPTP.
                rtsp     RTSP.
                dns-udp  DNS UDP.
                dns-tcp  DNS TCP.
                pmap     PMAP.
                rsh      RSH.
                dcerpc   DCERPC.
                mgcp     MGCP.
                gtp-c    GTP-C.
                gtp-u    GTP-U.
                gtp-b    GTP-B.
        set protocol {integer}   Protocol number. range[0-255]
        set port {integer}   Protocol port. range[1-65535]
    next
end