SIP ALG and SIP session helper
The SIP session helper is a legacy solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.
SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.
By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.
To change between SIP ALG mode and SIP session helper mode:
config system settings set default-voip-alg-mode {proxy-based | kernel-helper-based} end
default-voip-alg-mode {proxy-based | kernel-helper-based} |
Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.
|
The default-voip-alg-mode
setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).
config firewall policy edit <id> set voip-profile <voipd-based_profile> set ips-voip-filter <ips-based_profile> next end
The following table explains the results of configuring different combinations of the preceding settings.
Firewall policy setting |
Default VoIP ALG mode setting |
||
---|---|---|---|
voip-profile |
ips-voip-filter |
kernel-helper-based |
proxy-based |
Yes |
Yes |
SIP ALG + IPS SIP |
SIP ALG + IPS SIP |
Yes |
No |
SIP ALG |
SIP ALG |
No |
Yes |
SIP ALG + IPS SIP |
SIP ALG + IPS SIP |
No |
No |
SIP session helper |
SIP ALG |
SIP ALG configurations
SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.
Example 1
In this example, a voipd
-based profile is configured and applied to a firewall policy. The default-voip-alg-mode
remains as the default setting (proxy-based
).
To configure SIP ALG:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode proxy-based end
-
Configure the VoIP profile:
config voip profile edit "sip-alg-profile" set feature-set voipd config sip set status enable end next end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-Proxy" set utm-status enable set voip-profile "sip-alg-profile" next end
Example 2
In this example, the default-voip-alg-mode
is set to kernel-helper-based
. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.
To configure SIP ALG:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode kernel-helper-based end
-
Configure the VoIP profile:
config voip profile edit "sip-alg-profile" set feature-set voipd config sip set status enable end next end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-Proxy" set utm-status enable set voip-profile "sip-alg-profile" next end
Example 3
In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode
is set to proxy-based
. The default voip-profile
is implicitly applied.
To configure SIP ALG to implicitly use the default VoIP profile:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode proxy-based end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-Proxy" set utm-status enable set voip-profile "" next end
SIP session helper configurations
In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.
Example 1
In this example, the default-voip-alg-mode
is set to kernel-helper-based
, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.
To configure the SIP session helper:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode kernel-helper-based end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-session-helper" set utm-status enable set voip-profile "" next end
-
Configure the session helper:
config system session-helper edit 13 set name sip set protocol 17 set port 5060 next end
Example 2
In this example, the default-voip-alg-mode
is set to either proxy-based
or kernel-helper-based
. A VoIP profile that has SIP disabled is applied to the firewall policy.
To configure the SIP session helper:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode {proxy-based | kernel-helper-based} end
-
Configure the VoIP profile:
config voip profile edit "sip-disabled-profile" set feature-set voipd config sip set status disable end next end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-session-helper" set utm-status enable set voip-profile "sip-disabled-profile" next end
-
Configure the session helper:
config system session-helper edit 13 set name sip set protocol 17 set port 5060 next end
Example 3
In this example, the session helper is removed because the SIP provider suggests to disable SIP ALG and the session helper altogether.
To remove the SIP session helper:
-
Configure the default VoIP ALG mode:
config system settings set default-voip-alg-mode kernel-helper-based end
-
Configure the firewall policy:
config firewall policy edit 0 set name "VoIP-session-helper" set utm-status enable set voip-profile "" next end
-
Remove the session helper:
config system session-helper delete 13 end
Modifying the SIP port
Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .
To change the SIP port:
config system settings set sip-tcp-port 5064 set sip-udp-port 5065 set sip-ssl-port 5066 end
To listen to two TCP and UDP ports:
config system settings set sip-tcp-port 5060 5064 set sip-udp-port 5061 5065 end
To modify the SIP ports for the default SIP session helper:
config system session-helper edit 13 set name sip set protocol 17 set port 5065 next end
To add a new session helper to listen on UDP and TCP 5064:
config system session-helper edit 0 set name sip set port 5064 next end