Fortinet white logo
Fortinet white logo

Administration Guide

SIP ALG and SIP session helper

SIP ALG and SIP session helper

The SIP session helper is a legacy solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

To change between SIP ALG mode and SIP session helper mode:
config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end 

default-voip-alg-mode {proxy-based | kernel-helper-based}

Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

  • proxy-based: use SIP ALG to process SIP traffic (default).
  • kernel-helper-based: use the SIP session helper to process SIP traffic.

The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

The following table explains the results of configuring different combinations of the preceding settings.

Firewall policy setting

Default VoIP ALG mode setting

voip-profile

ips-voip-filter

kernel-helper-based

proxy-based

Yes

Yes

SIP ALG + IPS SIP

SIP ALG + IPS SIP

Yes

No

SIP ALG

SIP ALG

No

Yes

SIP ALG + IPS SIP

SIP ALG + IPS SIP

No

No

SIP session helper

SIP ALG

SIP ALG configurations

SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

Example 1

In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

To configure SIP ALG:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode proxy-based
    end
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-alg-profile"
            set feature-set voipd
            config sip
                set status enable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile "sip-alg-profile"
        next
    end

Example 2

In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

To configure SIP ALG:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-alg-profile"
            set feature-set voipd
            config sip
                set status enable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile "sip-alg-profile"
        next
    end

Example 3

In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

To configure SIP ALG to implicitly use the default VoIP profile:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode proxy-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile ""
        next
    end

SIP session helper configurations

In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

Example 1

In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

To configure the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile ""
        next
    end
  3. Configure the session helper:

    config system session-helper
        edit 13
            set name sip
            set protocol 17
            set port 5060
        next
    end

Example 2

In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

To configure the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode {proxy-based | kernel-helper-based}
    end 
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-disabled-profile"
            set feature-set voipd
            config sip
                set status disable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile "sip-disabled-profile"
        next
    end
  4. Configure the session helper:

    config system session-helper
        edit 13
            set name sip
            set protocol 17
            set port 5060
        next
    end

Example 3

In this example, the session helper is removed because the SIP provider suggests to disable SIP ALG and the session helper altogether.

To remove the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile ""
        next
    end
  3. Remove the session helper:

    config system session-helper
        delete 13
    end

Modifying the SIP port

Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

To change the SIP port:
config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
To listen to two TCP and UDP ports:
config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
To modify the SIP ports for the default SIP session helper:
config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
To add a new session helper to listen on UDP and TCP 5064:
config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end

SIP ALG and SIP session helper

SIP ALG and SIP session helper

The SIP session helper is a legacy solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

To change between SIP ALG mode and SIP session helper mode:
config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end 

default-voip-alg-mode {proxy-based | kernel-helper-based}

Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

  • proxy-based: use SIP ALG to process SIP traffic (default).
  • kernel-helper-based: use the SIP session helper to process SIP traffic.

The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

The following table explains the results of configuring different combinations of the preceding settings.

Firewall policy setting

Default VoIP ALG mode setting

voip-profile

ips-voip-filter

kernel-helper-based

proxy-based

Yes

Yes

SIP ALG + IPS SIP

SIP ALG + IPS SIP

Yes

No

SIP ALG

SIP ALG

No

Yes

SIP ALG + IPS SIP

SIP ALG + IPS SIP

No

No

SIP session helper

SIP ALG

SIP ALG configurations

SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

Example 1

In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

To configure SIP ALG:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode proxy-based
    end
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-alg-profile"
            set feature-set voipd
            config sip
                set status enable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile "sip-alg-profile"
        next
    end

Example 2

In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

To configure SIP ALG:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-alg-profile"
            set feature-set voipd
            config sip
                set status enable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile "sip-alg-profile"
        next
    end

Example 3

In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

To configure SIP ALG to implicitly use the default VoIP profile:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode proxy-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-Proxy"
            set utm-status enable
            set voip-profile ""
        next
    end

SIP session helper configurations

In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

Example 1

In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

To configure the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile ""
        next
    end
  3. Configure the session helper:

    config system session-helper
        edit 13
            set name sip
            set protocol 17
            set port 5060
        next
    end

Example 2

In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

To configure the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode {proxy-based | kernel-helper-based}
    end 
  2. Configure the VoIP profile:

    config voip profile
        edit "sip-disabled-profile"
            set feature-set voipd
            config sip
                set status disable
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile "sip-disabled-profile"
        next
    end
  4. Configure the session helper:

    config system session-helper
        edit 13
            set name sip
            set protocol 17
            set port 5060
        next
    end

Example 3

In this example, the session helper is removed because the SIP provider suggests to disable SIP ALG and the session helper altogether.

To remove the SIP session helper:
  1. Configure the default VoIP ALG mode:

    config system settings
        set default-voip-alg-mode kernel-helper-based
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 0
            set name "VoIP-session-helper"
            set utm-status enable
            set voip-profile ""
        next
    end
  3. Remove the session helper:

    config system session-helper
        delete 13
    end

Modifying the SIP port

Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

To change the SIP port:
config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
To listen to two TCP and UDP ports:
config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
To modify the SIP ports for the default SIP session helper:
config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
To add a new session helper to listen on UDP and TCP 5064:
config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end