SIP message inspection and filtering
SIP ALG provides users with security features to inspect and control SIP messages that are transported through the FortiGate, including:
- Verifying the SIP message syntax.
- Blocking particular types of SIP requests.
- Restricting the rate of particular SIP requests.
These can be performed in both proxy-based or flow-based firewall policies. In 7.0, flow-based SIP inspection is done by the IPS engine. This optimizes memory and CPU usage when VoIP profiles with SIP inspection are configured with other UTM profiles in a flow-based firewall policy because inspection is done entirely by the IPS engine.
These features are configured in the VoIP profile:
config voip profile
edit <name>
set feature-set {proxy | flow}
config sip
set ...
...
end
next
end
|
For more information, see config voip profile in the FortiOS CLI Reference. |
The VoIP profile can then be applied to a firewall policy to process the SIP call traffic. The firewall policy’s inspection mode decides whether inspection happens on the SIP ALG proxy or on the IPS engine.
config firewall policy
edit <id>
set inspection-mode {proxy | flow}
set voip-profile <name>
next
end
SIP message syntax inspection
For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.
malformed-request-line malformed-header-via malformed-header-from malformed-header-to malformed-header-call-id malformed-header-cseq malformed-header-rack malformed-header-rseq malformed-header-contact malformed-header-record-route malformed-header-route malformed-header-expires malformed-header-content-type malformed-header-content-length malformed-header-max-forwards malformed-header-allow malformed-header-p-asserted-identity malformed-header-sdp-v malformed-header-sdp-o malformed-header-sdp-s malformed-header-sdp-i malformed-header-sdp-c malformed-header-sdp-b malformed-header-sdp-z malformed-header-sdp-k malformed-header-sdp-a malformed-header-sdp-t malformed-header-sdp-r malformed-header-sdp-m malformed-header-no-require* malformed-header-no-proxy-require*
* = only available in flow mode
SIP message blocking
The following options are available in the VoIP profile to block SIP messages:
block-long-lines block-unknown block-ack block-bye block-cancel block-info block-invite block-message block-notify block-options block-prack block-publish block-refer block-register block-subscribe block-update block-geo-red-options**
** = only available in proxy mode
SIP message rate limiting
The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted:
register-rate invite-rate subscribe-rate message-rate notify-rate refer-rate update-rate options-rate ack-rate prack-rate info-rate publish-rate bye-rate cancel-rate
Additionally, flow-based SIP supports the following rate tracking features:
register-rate-track none invite-rate-track none subscribe-rate-track none message-rate-track none notify-rate-track none refer-rate-track none update-rate-track none options-rate-track none ack-rate-track none prack-rate-track none info-rate-track none publish-rate-track none bye-rate-track none cancel-rate-track none