Introduce SIP IPS profile as a complement to SIP ALG 7.2.5
This information is also available in the FortiOS 7.2 Administration Guide: |
In FortiOS 7.0, flow-based SIP inspection was introduced, which is handled by the IPS Engine. When a VoIP profile is applied to a firewall policy, the inspection mode determines whether SIP ALG or flow-based SIP is used. Therefore, SIP ALG and flow-based SIP were mutually exclusive. You could not use both at the same time.
Proxy-based SIP ALG is able to handle features such as pin hole creation and NAT that flow-based SIP inspection cannot. Flow-based SIP can handle features such as MSRP decoding and scanning that proxy-based SIP ALG cannot.
To solve this problem, FortiOS 7.2.5 introduces a new IPS-based VoIP profile (ips-voip-filter
) that allows flow-based SIP to complement SIP ALG while working together.
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The voip-profile
can be selected regardless of the inspection-mode
in the firewall policy.
For more information about this feature, see Introduce SIP IPS profile as a complement to SIP ALG.