Fortinet black logo

New Features

Flow-based SIP inspection

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:644799
Download PDF

Flow-based SIP inspection

Flow-based SIP inspection is done by the IPS engine. This optimizes memory and CPU usage when VoIP profiles with SIP inspection are configured with other UTM profiles in a flow-based firewall policy because inspection is done entirely by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate‑limitation, and malformed header detection.

The inspection mode is selected in the firewall policy.

Caution

When upgrading to FortiOS 7.0.0:

  • If default-voip-alg-mode is set to proxy-based (the default setting), all flow mode policies will be converted to proxy mode.

  • If default-voip-alg-mode is set to kernel-helper- based, all flow mode policies that have a VoIP profile configured will be converted to proxy mode.

To configure the default VoIP ALG mode:
config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

When upgrading to FortiOS 7.0.1:

  • All firewall policies with a VoIP profile selected will be converted to proxy-based inspection.

  • All firewall policies that do not have a VoIP profile selected will remain in the same inspection mode after upgrading.

Proxy ALG features available in flow mode:
config voip profile
    edit "demo_sip"
        set feature-set flow
        set comment "flow_based"
        config sip
            set status enable
            set register-rate-track {none | src-ip | dest-ip}
            set invite-rate-track {none | src-ip | dest-ip}
            set subscribe-rate-track {none | src-ip | dest-ip}
            set message-rate-track {none | src-ip | dest-ip}
            set notify-rate-track {none | src-ip | dest-ip}
            set refer-rate-track {none | src-ip | dest-ip}
            set update-rate-track {none | src-ip | dest-ip}
            set options-rate-track {none | src-ip | dest-ip}
            set ack-rate-track {none | src-ip | dest-ip}
            set prack-rate-track {none | src-ip | dest-ip}
            set info-rate-track {none | src-ip | dest-ip}
            set publish-rate-track {none | src-ip | dest-ip}
            set bye-rate-track {none | src-ip | dest-ip}
            set cancel-rate-track {none | src-ip | dest-ip}
            set malformed-header-no-require {discard | pass}
            set malformed-header-no-proxy-require {discard | pass}
            set ips-rtp {enable | disable}
        end
    next
end

...-rate-track {none | src-ip | dest-ip}

Track the packet protocol field.

  • none: None (default)
  • src-ip: Source IP
  • dest-ip: Destination IP

malformed-header-no-require {discard | pass}

Action for malformed SIP messages without a Require header.

  • discard: Discard malformed messages.

  • pass: Bypass malformed messages (default).

malformed-header-no-proxy-require {discard | pass}

Action for malformed SIP messages without a Proxy-Require header (default = pass).

ips-rtp {enable | disable}

Enable/disable allow IPS on RTP (default = enable).

To create and use a VoIP profile in a policy:
  1. Create a VoIP profile that uses SIP with the flow-mode feature set and enable block register requests:

    config voip profile
        edit "sip-flow"
            set feature-set flow
            config sip
                set block-register enable
            end
        next
    end
  2. Use the VoIP profile in a flow-based firewall policy:

    config firewall policy
        edit 4
            set srcintf "port1"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode flow
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set voip-profile "sip-flow"
            set nat enable
        next
    end

Flow-based SIP inspection

Flow-based SIP inspection is done by the IPS engine. This optimizes memory and CPU usage when VoIP profiles with SIP inspection are configured with other UTM profiles in a flow-based firewall policy because inspection is done entirely by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate‑limitation, and malformed header detection.

The inspection mode is selected in the firewall policy.

Caution

When upgrading to FortiOS 7.0.0:

  • If default-voip-alg-mode is set to proxy-based (the default setting), all flow mode policies will be converted to proxy mode.

  • If default-voip-alg-mode is set to kernel-helper- based, all flow mode policies that have a VoIP profile configured will be converted to proxy mode.

To configure the default VoIP ALG mode:
config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

When upgrading to FortiOS 7.0.1:

  • All firewall policies with a VoIP profile selected will be converted to proxy-based inspection.

  • All firewall policies that do not have a VoIP profile selected will remain in the same inspection mode after upgrading.

Proxy ALG features available in flow mode:
config voip profile
    edit "demo_sip"
        set feature-set flow
        set comment "flow_based"
        config sip
            set status enable
            set register-rate-track {none | src-ip | dest-ip}
            set invite-rate-track {none | src-ip | dest-ip}
            set subscribe-rate-track {none | src-ip | dest-ip}
            set message-rate-track {none | src-ip | dest-ip}
            set notify-rate-track {none | src-ip | dest-ip}
            set refer-rate-track {none | src-ip | dest-ip}
            set update-rate-track {none | src-ip | dest-ip}
            set options-rate-track {none | src-ip | dest-ip}
            set ack-rate-track {none | src-ip | dest-ip}
            set prack-rate-track {none | src-ip | dest-ip}
            set info-rate-track {none | src-ip | dest-ip}
            set publish-rate-track {none | src-ip | dest-ip}
            set bye-rate-track {none | src-ip | dest-ip}
            set cancel-rate-track {none | src-ip | dest-ip}
            set malformed-header-no-require {discard | pass}
            set malformed-header-no-proxy-require {discard | pass}
            set ips-rtp {enable | disable}
        end
    next
end

...-rate-track {none | src-ip | dest-ip}

Track the packet protocol field.

  • none: None (default)
  • src-ip: Source IP
  • dest-ip: Destination IP

malformed-header-no-require {discard | pass}

Action for malformed SIP messages without a Require header.

  • discard: Discard malformed messages.

  • pass: Bypass malformed messages (default).

malformed-header-no-proxy-require {discard | pass}

Action for malformed SIP messages without a Proxy-Require header (default = pass).

ips-rtp {enable | disable}

Enable/disable allow IPS on RTP (default = enable).

To create and use a VoIP profile in a policy:
  1. Create a VoIP profile that uses SIP with the flow-mode feature set and enable block register requests:

    config voip profile
        edit "sip-flow"
            set feature-set flow
            config sip
                set block-register enable
            end
        next
    end
  2. Use the VoIP profile in a flow-based firewall policy:

    config firewall policy
        edit 4
            set srcintf "port1"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode flow
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set voip-profile "sip-flow"
            set nat enable
        next
    end