Flow-based SIP inspection

Flow-based SIP inspection is done by the IPS engine. This optimizes memory and CPU usage when VoIP profiles with SIP inspection are configured with other UTM profiles in a flow-based firewall policy because inspection is done entirely by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate‑limitation, and malformed header detection.

The inspection mode is selected in the firewall policy.

When upgrading to FortiOS 7.0.0: If default-voip-alg-mode is set to proxy-based (the default setting), all flow mode policies will be converted to proxy mode. If default-voip-alg-mode is set to kernel-helper- based, all flow mode policies that have a VoIP profile configured will be converted to proxy mode. To configure the default VoIP ALG mode: config system settings set default-voip-alg-mode {proxy-based | kernel-helper-based} end When upgrading to FortiOS 7.0.1: All firewall policies with a VoIP profile selected will be converted to proxy-based inspection. All firewall policies that do not have a VoIP profile selected will remain in the same inspection mode after upgrading.

Proxy ALG features available in flow mode:

config voip profile
    edit "demo_sip"
        set feature-set flow
        set comment "flow_based"
        config sip
            set status enable
            set register-rate-track {none | src-ip | dest-ip}
            set invite-rate-track {none | src-ip | dest-ip}
            set subscribe-rate-track {none | src-ip | dest-ip}
            set message-rate-track {none | src-ip | dest-ip}
            set notify-rate-track {none | src-ip | dest-ip}
            set refer-rate-track {none | src-ip | dest-ip}
            set update-rate-track {none | src-ip | dest-ip}
            set options-rate-track {none | src-ip | dest-ip}
            set ack-rate-track {none | src-ip | dest-ip}
            set prack-rate-track {none | src-ip | dest-ip}
            set info-rate-track {none | src-ip | dest-ip}
            set publish-rate-track {none | src-ip | dest-ip}
            set bye-rate-track {none | src-ip | dest-ip}
            set cancel-rate-track {none | src-ip | dest-ip}
            set malformed-header-no-require {discard | pass}
            set malformed-header-no-proxy-require {discard | pass}
            set ips-rtp {enable | disable}
        end
    next
end

...-rate-track {none | src-ip | dest-ip}	Track the packet protocol field. none: None (default) src-ip: Source IP dest-ip: Destination IP
malformed-header-no-require {discard | pass}	Action for malformed SIP messages without a Require header. discard: Discard malformed messages. pass: Bypass malformed messages (default).
malformed-header-no-proxy-require {discard | pass}	Action for malformed SIP messages without a Proxy-Require header (default = pass).
ips-rtp {enable | disable}	Enable/disable allow IPS on RTP (default = enable).

To create and use a VoIP profile in a policy:

1. Create a VoIP profile that uses SIP with the flow-mode feature set and enable block register requests:

   config voip profile
       edit "sip-flow"
           set feature-set flow
           config sip
               set block-register enable
           end
       next
   end

2. Use the VoIP profile in a flow-based firewall policy:

   config firewall policy
       edit 4
           set srcintf "port1"
           set dstintf "port9"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode flow
           set profile-protocol-options "protocol"
           set ssl-ssh-profile "ssl"
           set voip-profile "sip-flow"
           set nat enable
       next
   end