Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.2 Administration Guide
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    SIP ALG and SIP session helper

    SIP ALG and SIP session helper

    The SIP session helper is a high-performance solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

    SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

    By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

    To change between SIP ALG mode and SIP session helper mode:
    config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    default-voip-alg-mode {proxy-based | kernel-helper-based}

    Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

    • proxy-based: use SIP ALG to process SIP traffic (default).
    • kernel-helper-based: use the SIP session helper to process SIP traffic.

    The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

    config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

    The following table explains the results of configuring different combinations of the preceding settings.

    Firewall policy setting

    Default VoIP ALG mode setting

    voip-profile

    ips-voip-filter

    kernel-helper-based

    proxy-based

    Yes

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    Yes

    No

    SIP ALG

    SIP ALG

    No

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    No

    No

    SIP session helper

    SIP ALG

    SIP ALG configurations

    SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

    Example 1

    In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 3

    In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

    To configure SIP ALG to implicitly use the default VoIP profile:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile ""
    next
end

    SIP session helper configurations

    In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

    Example 1

    In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-disabled-profile"
        set feature-set voipd
        config sip
            set status disable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile "sip-disabled-profile"
    next
end

    4. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 3

    In this example, the session helper is removed because the SIP provider suggests to disable SIP ALG and the session helper altogether.

    To remove the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Remove the session helper:

      config system session-helper
    delete 13
end

    Modifying the SIP port

    Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

    To change the SIP port:
    config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
    To listen to two TCP and UDP ports:
    config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
    To modify the SIP ports for the default SIP session helper:
    config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
    To add a new session helper to listen on UDP and TCP 5064:
    config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end
    Previous
    Next

    SIP ALG and SIP session helper

    SIP ALG and SIP session helper

    The SIP session helper is a high-performance solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

    SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

    By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

    To change between SIP ALG mode and SIP session helper mode:
    config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    default-voip-alg-mode {proxy-based | kernel-helper-based}

    Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

    • proxy-based: use SIP ALG to process SIP traffic (default).
    • kernel-helper-based: use the SIP session helper to process SIP traffic.

    The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

    config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

    The following table explains the results of configuring different combinations of the preceding settings.

    Firewall policy setting

    Default VoIP ALG mode setting

    voip-profile

    ips-voip-filter

    kernel-helper-based

    proxy-based

    Yes

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    Yes

    No

    SIP ALG

    SIP ALG

    No

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    No

    No

    SIP session helper

    SIP ALG

    SIP ALG configurations

    SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

    Example 1

    In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 3

    In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

    To configure SIP ALG to implicitly use the default VoIP profile:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile ""
    next
end

    SIP session helper configurations

    In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

    Example 1

    In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-disabled-profile"
        set feature-set voipd
        config sip
            set status disable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile "sip-disabled-profile"
    next
end

    4. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 3

    In this example, the session helper is removed because the SIP provider suggests to disable SIP ALG and the session helper altogether.

    To remove the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Remove the session helper:

      config system session-helper
    delete 13
end

    Modifying the SIP port

    Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

    To change the SIP port:
    config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
    To listen to two TCP and UDP ports:
    config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
    To modify the SIP ports for the default SIP session helper:
    config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
    To add a new session helper to listen on UDP and TCP 5064:
    config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end
    Previous
    Next