Fortinet Document Library

Version:

7.0.6
7.0.5
6.4.9

Version:

6.4.8
6.4.6
6.2.9

Version:

6.2.7
6.2.6

Table of Contents

Hyperscale Firewall Guide

7.0.5
7.0.6
7.0.5
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6
Download PDF
Copy Link

SIP and hyperscale firewall support

Enter one of the following commands to the change the NP7 hash configuration if a FortiGate that is licensed for hyperscale firewall features and will be processing SIP traffic.

The available command depends on the hardware platform and firmware version:

config system npu

set hash-config sip

end

or

config system npu

set hash-config src-ip

end

For more information, see hash-config {5T | sip} or hash-config {src-dst-ip | src-ip}.

Note

Entering either of these commands causes the FortiGate to restart, temporarily interrupting traffic. If you are changing this configuration for an FGCP HA cluster, you should remove the secondary FortiGate from the cluster, change the configuration on both FortiGates, and then after they restart, add the secondary FortiGate back to the cluster.

In addition to the above setting, to support SIP in a hyperscale firewall VDOM, you must configure the VDOM to use the SIP session helper instead of the SIP application layer gateway (ALG). Enter the following command in a hyperscale firewall VDOM to use the SIP session helper for SIP traffic:

config system settings

set default-voip-alg-mode kernel-helper-based

end

SIP and hyperscale firewall support

Enter one of the following commands to the change the NP7 hash configuration if a FortiGate that is licensed for hyperscale firewall features and will be processing SIP traffic.

The available command depends on the hardware platform and firmware version:

config system npu

set hash-config sip

end

or

config system npu

set hash-config src-ip

end

For more information, see hash-config {5T | sip} or hash-config {src-dst-ip | src-ip}.

Note

Entering either of these commands causes the FortiGate to restart, temporarily interrupting traffic. If you are changing this configuration for an FGCP HA cluster, you should remove the secondary FortiGate from the cluster, change the configuration on both FortiGates, and then after they restart, add the secondary FortiGate back to the cluster.

In addition to the above setting, to support SIP in a hyperscale firewall VDOM, you must configure the VDOM to use the SIP session helper instead of the SIP application layer gateway (ALG). Enter the following command in a hyperscale firewall VDOM to use the SIP session helper for SIP traffic:

config system settings

set default-voip-alg-mode kernel-helper-based

end