Introduce SIP IPS profile as a complement to SIP ALG
|
This information is also available in the FortiOS 7.4 Administration Guide: |
In FortiOS 7.0, flow-based SIP inspection was introduced, which is handled by the IPS Engine. When a VoIP profile is applied to a firewall policy, the inspection mode determines whether SIP ALG or flow-based SIP is used. Therefore, SIP ALG and flow-based SIP were mutually exclusive. You could not use both at the same time.
Proxy-based SIP ALG is able to handle features such as pin hole creation and NAT that flow-based SIP inspection cannot. Flow-based SIP can handle features such as MSRP decoding and scanning that proxy-based SIP ALG cannot.
To solve this problem, FortiOS 7.4.0 introduces a new IPS-based VoIP profile (ips-voip-filter) that allows flow-based SIP to complement SIP ALG while working together.
config firewall policy
edit <id>
set ips-voip-filter <name>
next
end
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The voip-profile can be selected regardless of the inspection-mode in the firewall policy.
Previously, in the VoIP profile, users were able to select either a proxy or flow based feature set. These have been renamed to voipd and ips. Two options are added in the SIP configuration.
config voip profile
edit <name>
set feature-set {ips | voipd}
config sip
set call-id-regex <string>
set call-id-regex <string>
end
next
end
|
feature-set {ips | voipd} |
Set the inspection feature set.
|
|
call-id-regex <string> |
Available when the |
|
call-id-regex <string> |
Available when the |
A SIP ALG VoIP profile can be selected in a firewall policy to handle VoIP traffic with SIP ALG features. For example:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
next
end
An IPS-based VoIP profile can be selected with a SIP ALG VoIP profile within the same firewall policy. For example:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end
|
|
When both SIP ALG and SIP IPS are used and configured with same block rules, SIP IPS will take priority and do the blocking. |
Example
In this example, SIP ALG is required for pinhole creation, handling NAT, and controlling SIP messages that requires flow-based SIP. The administrator needs to configure two SIP profiles, one with each feature set (voipd and ips), and apply these SIP profiles in the same firewall policy.
To configure SIP ALG with SIP IPS:
-
Configure the VoIP profiles:
config voip profile edit "voip_sip_alg" set feature-set voipd set comment "sip_alg_simple" config sip set log-violations enable set log-call-summary enable end next edit "voip_sip_ips" set feature-set ips set comment "ips_voip_blocking" config sip set block-invite enable set log-violations enable end next end -
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port1" set dstintf "port9" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ips-sensor "g-default" set voip-profile "voip_sip_alg" set ips-voip-filter "voip_sip_ips" set logtraffic all set nat enable next end
To verify the SIP proxy SIP calls:
-
Verify the register request:
# diagnose sys sip-proxy calls sip calls vdom 1 (vdom1) vrf 0 call 7f2b99828300 call-id: 619216389 txn 7f2b998ad600 (REGISTER) cseq 2 dir 0 state 5 status 200 expiry 527 HA 0 i_session: 7f2b998aac00 r_session: 7f2b998aac00 register: present from: sip:2001@172.16.200.44 to: sip:2001@172.16.200.44 src: 10.1.100.11:5060 dst: 172.16.200.44:5060 -
Verify the invite request:
# diagnose sys sip-proxy calls sip calls vdom 1 (vdom1) vrf 0 call 7f2b99828300 call-id: 619216389 txn 7f2b998ad600 (REGISTER) cseq 2 dir 0 state 5 status 200 expiry 316 HA 0 i_session: 7f2b998aac00 r_session: 7f2b998aac00 register: present from: sip:2001@172.16.200.44 to: sip:2001@172.16.200.44 src: 10.1.100.11:5060 dst: 172.16.200.44:5060
Sample logs
Register request:
date=2023-01-13 time=09:46:03 eventtime=1673631963477298677 tz="-0800" logid="0814044032" type="utm" subtype="voip" eventtype="voip" level="information" vd="vdom1" session_id=17092 epoch=0 event_id=1 srcip=10.1.100.11 src_port=5060 dstip=172.16.200.44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="voip_sip_alg" voip_proto="sip" kind="register" action="permit" status="succeeded" duration=0 dir="session_origin" call_id="619216389" from="sip:2001@172.16.200.44" to="sip:2001@172.16.200.44"
Invite request:
date=2023-01-13 time=09:54:43 eventtime=1673632484065549240 tz="-0800" logid="0814044033" type="utm" subtype="voip" eventtype="voip" level="notice" vd="vdom1" session_id=17092 epoch=0 event_id=0 srcip=10.1.100.11 src_port=5060 dstip=172.16.200.44 dst_port=5060 proto=17 src_int="port1" dst_int="port9" policy_id=1 profile="voip_sip_ips" voip_proto="sip" kind="call" action="block" status="N/A" reason="block-request" duration=0 dir="session_reverse" message_type="request" request_name="INVITE" call_id="1967779864" count=0 from="<sip:2001@172.16.200.44>" to="<sip:2002@172.16.200.44>" attackid=50083 attack="SIP.Invite.Method"