SIP message inspection and filtering NEW
There are two types of VoIP profiles that can be configured:
config voip profile
edit <name>
set feature-set {ips | voipd}
next
end
|
feature-set {ips | voipd} |
Set the inspection feature set.
|
SIP ALG provides users with security features to inspect and control SIP messages that are transported through the FortiGate, including:
- Verifying the SIP message syntax.
- Blocking particular types of SIP requests.
- Restricting the rate of particular SIP requests.
Proxy-based SIP ALG (feature-set voipd) is also able to handle features such as pin hole creation and NAT that flow-based SIP inspection cannot. Flow-based SIP (feature-set ips) can handle features such as MSRP decoding and scanning that proxy-based SIP ALG cannot.
The two VoIP profile types can be configured separately or at the same time on a firewall policy:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end
Where:
voip-profilecan select avoip-profilewithfeature-set voipd.ips-voip-filtercan select avoip-profilewithfeature-set ips.
The IPS-based VoIP profile (ips-voip-filter) allows flow-based SIP to complement SIP ALG while working together.
|
When both SIP ALG and SIP IPS are used and configured with same block rules, SIP IPS will take priority and do the blocking. |
|
|
Unlike previous versions (7.0 and 7.2.0-7.2.4) where the firewall policy’s inspection mode determines whether the SIP traffic is scanned by SIP ALG or flow-based SIP, the inspection mode does not matter in this version. A A |
For more information about the difference between SIP ALG and the SIP session helper, see SIP ALG and SIP session helper.
Example
In this example, SIP ALG is required for pinhole creation, handling NAT, and controlling SIP messages that requires flow-based SIP. The administrator needs to configure two SIP profiles, one with each feature set (voipd and ips), and apply these SIP profiles in the same firewall policy.
To configure SIP ALG with SIP IPS:
-
Configure the VoIP profiles:
config voip profile edit "voip_sip_alg" set feature-set voipd set comment "sip_alg_simple" config sip set log-violations enable set log-call-summary enable end next edit "voip_sip_ips" set feature-set ips set comment "ips_voip_blocking" config sip set block-invite enable set log-violations enable end next end -
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port1" set dstintf "port9" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ips-sensor "g-default" set voip-profile "voip_sip_alg" set ips-voip-filter "voip_sip_ips" set logtraffic all set nat enable next end
To verify the SIP proxy SIP calls:
-
Verify the register request:
# diagnose sys sip-proxy calls sip calls vdom 1 (vdom1) vrf 0 call 7f2b99828300 call-id: 619216389 txn 7f2b998ad600 (REGISTER) cseq 2 dir 0 state 5 status 200 expiry 527 HA 0 i_session: 7f2b998aac00 r_session: 7f2b998aac00 register: present from: sip:2001@172.16.200.44 to: sip:2001@172.16.200.44 src: 10.1.100.11:5060 dst: 172.16.200.44:5060 -
Verify the invite request:
# diagnose sys sip-proxy calls sip calls vdom 1 (vdom1) vrf 0 call 7f2b99828300 call-id: 619216389 txn 7f2b998ad600 (REGISTER) cseq 2 dir 0 state 5 status 200 expiry 316 HA 0 i_session: 7f2b998aac00 r_session: 7f2b998aac00 register: present from: sip:2001@172.16.200.44 to: sip:2001@172.16.200.44 src: 10.1.100.11:5060 dst: 172.16.200.44:5060
Sample logs
Register request:
date=2023-01-13 time=09:46:03 eventtime=1673631963477298677 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=17092 epoch=0 event_id=1 srcip=10.1.100.11 src_port=5060 dstip=172.16.200.44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="voip_sip_alg" voip_proto="sip" kind="register" action="permit" status="succeeded" duration=0 dir="session_origin" call_id="619216389" from="sip:2001@172.16.200.44" to="sip:2001@172.16.200.44"
Invite request:
date=2023-01-13 time=09:54:43 eventtime=1673632484065549240 tz="-0800" logid="0814044033" type="utm" subtype="voip" eventtype="voip" level="notice" vd="vdom1" session_id=17092 epoch=0 event_id=0 srcip=10.1.100.11 src_port=5060 dstip=172.16.200.44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="voip_sip_ips" voip_proto="sip" kind="call" action="block" status="N/A" reason="block-request" duration=0 dir="session_reverse" message_type="request" request_name="INVITE" call_id="1967779864" count=0 from="<sip:2001@172.16.200.44>" to="<sip:2002@172.16.200.44>" attackid=50083 attack="SIP.Invite.Method"
SIP message syntax inspection
For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.
malformed-request-line malformed-header-via malformed-header-from malformed-header-to malformed-header-call-id malformed-header-cseq malformed-header-rack malformed-header-rseq malformed-header-contact malformed-header-record-route malformed-header-route malformed-header-expires malformed-header-content-type malformed-header-content-length malformed-header-max-forwards malformed-header-allow malformed-header-p-asserted-identity malformed-header-sdp-v malformed-header-sdp-o malformed-header-sdp-s malformed-header-sdp-i malformed-header-sdp-c malformed-header-sdp-b malformed-header-sdp-z malformed-header-sdp-k malformed-header-sdp-a malformed-header-sdp-t malformed-header-sdp-r malformed-header-sdp-m malformed-header-no-require* malformed-header-no-proxy-require*
* = only available in flow mode
SIP message blocking
The following options are available in the VoIP profile to block SIP messages:
block-long-lines block-unknown block-ack block-bye block-cancel block-info block-invite block-message block-notify block-options block-prack block-publish block-refer block-register block-subscribe block-update block-geo-red-options**
** = only available in proxy mode
SIP message rate limiting
The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted:
register-rate invite-rate subscribe-rate message-rate notify-rate refer-rate update-rate options-rate ack-rate prack-rate info-rate publish-rate bye-rate cancel-rate
Additionally, flow-based SIP supports the following rate tracking features:
register-rate-track none invite-rate-track none subscribe-rate-track none message-rate-track none notify-rate-track none refer-rate-track none update-rate-track none options-rate-track none ack-rate-track none prack-rate-track none info-rate-track none publish-rate-track none bye-rate-track none cancel-rate-track none
Call-Id and Content-Type regex
When the ips VoIP profile feature set is selected, options for Call-Id and Content-Type header values can be configured.
config voip profile
edit <name>
config sip
set call-id-regex <string>
set call-id-regex <string>
end
next
end
|
call-id-regex <string> |
Enter a validation PCRE regular expression for the Call-Id header value. |
|
call-id-regex <string> |
Enter a validation PCRE regular expression for the Content-Type header value. |