Fortinet black logo

Cookbook

SIP message inspection and filtering

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:681177
Download PDF

SIP message inspection and filtering

SIP ALG provides users with security features to inspect and control SIP messages that are transported through FortiOS devices, including:

  • Verifying the SIP message syntax.
  • Blocking particular types of SIP requests.
  • Restricting the rate of particular SIP requests.

These features are configured in the VoIP profile:

config voip profile
    edit <voip_profile_name>
        config sip set ...

The VoIP profile can then be applied to a firewall policy to process the SIP call traffic.

SIP message syntax inspection

For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.

malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m

SIP message blocking

The following options are available in the VoIP profile to block SIP messages:

block-long-lines
block-unknown
block-ack  
block-bye  
block-cancel   
block-info     
block-invite   
block-message  
block-notify   
block-options  
block-prack    
block-publish  
block-refer    
block-register 
block-subscribe
block-update   
block-geo-red-options

SIP message rate limiting

The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted :

register-rate       
invite-rate         
subscribe-rate      
message-rate        
notify-rate         
refer-rate          
update-rate         
options-rate        
ack-rate            
prack-rate          
info-rate           
publish-rate        
bye-rate            
cancel-rate   

SIP message inspection and filtering

SIP ALG provides users with security features to inspect and control SIP messages that are transported through FortiOS devices, including:

  • Verifying the SIP message syntax.
  • Blocking particular types of SIP requests.
  • Restricting the rate of particular SIP requests.

These features are configured in the VoIP profile:

config voip profile
    edit <voip_profile_name>
        config sip set ...

The VoIP profile can then be applied to a firewall policy to process the SIP call traffic.

SIP message syntax inspection

For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.

malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m

SIP message blocking

The following options are available in the VoIP profile to block SIP messages:

block-long-lines
block-unknown
block-ack  
block-bye  
block-cancel   
block-info     
block-invite   
block-message  
block-notify   
block-options  
block-prack    
block-publish  
block-refer    
block-register 
block-subscribe
block-update   
block-geo-red-options

SIP message rate limiting

The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted :

register-rate       
invite-rate         
subscribe-rate      
message-rate        
notify-rate         
refer-rate          
update-rate         
options-rate        
ack-rate            
prack-rate          
info-rate           
publish-rate        
bye-rate            
cancel-rate