IPS-based and voipd-based VoIP profiles
In FortiOS 7.4.0 and later, the new IPS-based VoIP profile allows flow-based SIP to complement SIP ALG while working together. There are now two types of VoIP profiles that can be configured:
config voip profile
edit <name>
set feature-set {ips | voipd}
next
end
A voipd-based VoIP profile is handled by the voipd daemon using SIP ALG inspection. This is renamed from proxy in previous FortiOS versions.
An ips-based VoIP profile is handled by the IPS daemon using flow-based SIP inspection. This is renamed from flow in previous FortiOS versions.
Both VoIP profile types can be configured at the same time on a firewall policy. For example:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end
Where:
-
voip-profilecan select avoip-profilewithfeature-set voipd. -
ips-voip-filtercan select avoip-profilewithfeature-set ips.
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The VoIP profile can be selected regardless of the inspection mode used in the firewall policy. The new ips-voip-filter setting allows users to select an IPS-based VoIP profile to apply flow-based SIP inspection, which can work concurrently with SIP ALG.
Upon upgrade, the feature-set setting of the voip profile determines whether the profile applied in the firewall policy is voip-profile or ips-voip-filter.
|
Before upgrade |
After upgrade |
|---|---|
config voip profile
edit "ips_voip_filter"
set feature-set flow
next
edit "sip_alg_profile"
set feature-set proxy
next
end
config firewall policy
edit 1
set voip-profile "ips_voip_filter"
next
edit 2
set voip-profile "sip_alg_profile"
next
end
|
config voip profile
edit "ips_voip_filter"
set feature-set ips
next
edit "sip_alg_profile"
set feature-set voipd
next
end
config firewall policy
edit 1
set ips-voip-filter "ips_voip_filter"
next
edit 2
set voip-profile "sip_alg_profile"
next
end
|