Fortinet white logo
Fortinet white logo

CLI Reference

config voip profile

config voip profile

Configure VoIP profiles.

config voip profile
    Description: Configure VoIP profiles.
    edit <name>
        set comment {var-string}
        set feature-set [flow|proxy]
        config msrp
            Description: MSRP.
            set status [disable|enable]
            set log-violations [disable|enable]
            set max-msg-size {integer}
            set max-msg-size-action [pass|block|...]
        end
        config sccp
            Description: SCCP.
            set status [disable|enable]
            set block-mcast [disable|enable]
            set verify-header [disable|enable]
            set log-call-summary [disable|enable]
            set log-violations [disable|enable]
            set max-calls {integer}
        end
        config sip
            Description: SIP.
            set status [disable|enable]
            set rtp [disable|enable]
            set nat-port-range {user}
            set open-register-pinhole [disable|enable]
            set open-contact-pinhole [disable|enable]
            set strict-register [disable|enable]
            set register-rate {integer}
            set register-rate-track [none|src-ip|...]
            set invite-rate {integer}
            set invite-rate-track [none|src-ip|...]
            set max-dialogs {integer}
            set max-line-length {integer}
            set block-long-lines [disable|enable]
            set block-unknown [disable|enable]
            set call-keepalive {integer}
            set block-ack [disable|enable]
            set block-bye [disable|enable]
            set block-cancel [disable|enable]
            set block-info [disable|enable]
            set block-invite [disable|enable]
            set block-message [disable|enable]
            set block-notify [disable|enable]
            set block-options [disable|enable]
            set block-prack [disable|enable]
            set block-publish [disable|enable]
            set block-refer [disable|enable]
            set block-register [disable|enable]
            set block-subscribe [disable|enable]
            set block-update [disable|enable]
            set register-contact-trace [disable|enable]
            set open-via-pinhole [disable|enable]
            set open-record-route-pinhole [disable|enable]
            set rfc2543-branch [disable|enable]
            set log-violations [disable|enable]
            set log-call-summary [disable|enable]
            set nat-trace [disable|enable]
            set subscribe-rate {integer}
            set subscribe-rate-track [none|src-ip|...]
            set message-rate {integer}
            set message-rate-track [none|src-ip|...]
            set notify-rate {integer}
            set notify-rate-track [none|src-ip|...]
            set refer-rate {integer}
            set refer-rate-track [none|src-ip|...]
            set update-rate {integer}
            set update-rate-track [none|src-ip|...]
            set options-rate {integer}
            set options-rate-track [none|src-ip|...]
            set ack-rate {integer}
            set ack-rate-track [none|src-ip|...]
            set prack-rate {integer}
            set prack-rate-track [none|src-ip|...]
            set info-rate {integer}
            set info-rate-track [none|src-ip|...]
            set publish-rate {integer}
            set publish-rate-track [none|src-ip|...]
            set bye-rate {integer}
            set bye-rate-track [none|src-ip|...]
            set cancel-rate {integer}
            set cancel-rate-track [none|src-ip|...]
            set preserve-override [disable|enable]
            set no-sdp-fixup [disable|enable]
            set contact-fixup [disable|enable]
            set max-idle-dialogs {integer}
            set block-geo-red-options [disable|enable]
            set hosted-nat-traversal [disable|enable]
            set hnt-restrict-source-ip [disable|enable]
            set max-body-length {integer}
            set unknown-header [discard|pass|...]
            set malformed-request-line [discard|pass|...]
            set malformed-header-via [discard|pass|...]
            set malformed-header-from [discard|pass|...]
            set malformed-header-to [discard|pass|...]
            set malformed-header-call-id [discard|pass|...]
            set malformed-header-cseq [discard|pass|...]
            set malformed-header-rack [discard|pass|...]
            set malformed-header-rseq [discard|pass|...]
            set malformed-header-contact [discard|pass|...]
            set malformed-header-record-route [discard|pass|...]
            set malformed-header-route [discard|pass|...]
            set malformed-header-expires [discard|pass|...]
            set malformed-header-content-type [discard|pass|...]
            set malformed-header-content-length [discard|pass|...]
            set malformed-header-max-forwards [discard|pass|...]
            set malformed-header-allow [discard|pass|...]
            set malformed-header-p-asserted-identity [discard|pass|...]
            set malformed-header-no-require [discard|pass|...]
            set malformed-header-no-proxy-require [discard|pass|...]
            set malformed-header-sdp-v [discard|pass|...]
            set malformed-header-sdp-o [discard|pass|...]
            set malformed-header-sdp-s [discard|pass|...]
            set malformed-header-sdp-i [discard|pass|...]
            set malformed-header-sdp-c [discard|pass|...]
            set malformed-header-sdp-b [discard|pass|...]
            set malformed-header-sdp-z [discard|pass|...]
            set malformed-header-sdp-k [discard|pass|...]
            set malformed-header-sdp-a [discard|pass|...]
            set malformed-header-sdp-t [discard|pass|...]
            set malformed-header-sdp-r [discard|pass|...]
            set malformed-header-sdp-m [discard|pass|...]
            set provisional-invite-expiry-time {integer}
            set ips-rtp [disable|enable]
            set ssl-mode [off|full]
            set ssl-send-empty-frags [enable|disable]
            set ssl-client-renegotiation [allow|deny|...]
            set ssl-algorithm [high|medium|...]
            set ssl-pfs [require|deny|...]
            set ssl-min-version [ssl-3.0|tls-1.0|...]
            set ssl-max-version [ssl-3.0|tls-1.0|...]
            set ssl-client-certificate {string}
            set ssl-server-certificate {string}
            set ssl-auth-client {string}
            set ssl-auth-server {string}
        end
    next
end

config voip profile

Parameter

Description

Type

Size

Default

comment

Comment.

var-string

Maximum length: 255

feature-set

Flow or proxy inspection feature set.

option

-

proxy

Option

Description

flow

Flow feature set.

proxy

Proxy feature set.

name

Profile name.

string

Maximum length: 35

config msrp

Parameter

Description

Type

Size

Default

status

Enable/disable MSRP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of MSRP violations.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

max-msg-size

Maximum allowable MSRP message size.

integer

Minimum value: 0 Maximum value: 65535

0

max-msg-size-action

Action for violation of max-msg-size.

option

-

pass

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

monitor

Pass and log matching traffic.

config sccp

Parameter

Description

Type

Size

Default

status

Enable/disable SCCP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

block-mcast

Enable/disable block multicast RTP connections.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

verify-header

Enable/disable verify SCCP header content.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-call-summary

Enable/disable log summary of SCCP calls.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of SCCP violations.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

max-calls

Maximum calls per minute per SCCP client (max 65535).

integer

Minimum value: 0 Maximum value: 65535

0

config sip

Parameter

Description

Type

Size

Default

status

Enable/disable SIP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

rtp

Enable/disable create pinholes for RTP traffic to traverse firewall.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

nat-port-range

RTP NAT port range.

user

Not Specified

5117-65533

open-register-pinhole

Enable/disable open pinhole for REGISTER Contact port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

open-contact-pinhole

Enable/disable open pinhole for non-REGISTER Contact port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

strict-register

Enable/disable only allow the registrar to connect.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

register-rate

REGISTER request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

register-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

invite-rate

INVITE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

invite-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

max-dialogs

Maximum number of concurrent calls/dialogs (per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

max-line-length

Maximum SIP header line length.

integer

Minimum value: 78 Maximum value: 4096

998

block-long-lines

Enable/disable block requests with headers exceeding max-line-length.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

block-unknown

Block unrecognized SIP requests.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

call-keepalive

Continue tracking calls with no RTP for this many minutes.

integer

Minimum value: 0 Maximum value: 10080

0

block-ack

Enable/disable block ACK requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-bye

Enable/disable block BYE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-cancel

Enable/disable block CANCEL requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-info

Enable/disable block INFO requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-invite

Enable/disable block INVITE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-message

Enable/disable block MESSAGE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-notify

Enable/disable block NOTIFY requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-options

Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-prack

Enable/disable block prack requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-publish

Enable/disable block PUBLISH requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-refer

Enable/disable block REFER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-register

Enable/disable block REGISTER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-subscribe

Enable/disable block SUBSCRIBE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-update

Enable/disable block UPDATE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

register-contact-trace

Enable/disable trace original IP/port within the contact header of REGISTER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

open-via-pinhole

Enable/disable open pinhole for Via port.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

open-record-route-pinhole

Enable/disable open pinhole for Record-Route port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

rfc2543-branch

Enable/disable support via branch compliant with RFC 2543.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of SIP violations.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-call-summary

Enable/disable logging of SIP call summary.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

nat-trace

Enable/disable preservation of original IP in SDP i line.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

subscribe-rate

SUBSCRIBE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

subscribe-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

message-rate

MESSAGE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

message-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

notify-rate

NOTIFY request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

notify-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

refer-rate

REFER request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

refer-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

update-rate

UPDATE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

update-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

options-rate

OPTIONS request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

options-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

ack-rate

ACK request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

ack-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

prack-rate

PRACK request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

prack-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

info-rate

INFO request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

info-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

publish-rate

PUBLISH request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

publish-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

bye-rate

BYE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

bye-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

cancel-rate

CANCEL request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

cancel-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

preserve-override

Override i line to preserve original IPS.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

no-sdp-fixup

Enable/disable no SDP fix-up.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

contact-fixup

Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

max-idle-dialogs

Maximum number established but idle dialogs to retain (per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

block-geo-red-options

Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

hosted-nat-traversal

Hosted NAT Traversal (HNT).

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

hnt-restrict-source-ip

Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

max-body-length

Maximum SIP message body length (0 meaning no limit).

integer

Minimum value: 0 Maximum value: 4294967295

0

unknown-header

Action for unknown SIP header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-request-line

Action for malformed request line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-via

Action for malformed VIA header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-from

Action for malformed From header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-to

Action for malformed To header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-call-id

Action for malformed Call-ID header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-cseq

Action for malformed CSeq header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-rack

Action for malformed RAck header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-rseq

Action for malformed RSeq header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-contact

Action for malformed Contact header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-record-route

Action for malformed Record-Route header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-route

Action for malformed Route header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-expires

Action for malformed Expires header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-content-type

Action for malformed Content-Type header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-content-length

Action for malformed Content-Length header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-max-forwards

Action for malformed Max-Forwards header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-allow

Action for malformed Allow header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-p-asserted-identity

Action for malformed P-Asserted-Identity header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-no-require

Action for malformed SIP messages without Require header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-no-proxy-require

Action for malformed SIP messages without Proxy-Require header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-v

Action for malformed SDP v line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-o

Action for malformed SDP o line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-s

Action for malformed SDP s line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-i

Action for malformed SDP i line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-c

Action for malformed SDP c line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-b

Action for malformed SDP b line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-z

Action for malformed SDP z line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-k

Action for malformed SDP k line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-a

Action for malformed SDP a line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-t

Action for malformed SDP t line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-r

Action for malformed SDP r line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-m

Action for malformed SDP m line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

provisional-invite-expiry-time

Expiry time for provisional INVITE.

integer

Minimum value: 10 Maximum value: 3600

210

ips-rtp

Enable/disable allow IPS on RTP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

ssl-mode *

SSL/TLS mode for encryption & decryption of traffic.

option

-

off

Option

Description

off

No SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags *

Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-client-renegotiation *

Allow/block client renegotiation by server.

option

-

allow

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-algorithm *

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-pfs *

SSL Perfect Forward Secrecy.

option

-

allow

Option

Description

require

PFS mandatory.

deny

PFS rejected.

allow

PFS allowed.

ssl-min-version *

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version *

Highest SSL/TLS version to negotiate.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-client-certificate *

Name of Certificate to offer to server if requested.

string

Maximum length: 35

ssl-server-certificate *

Name of Certificate return to the client in every SSL connection.

string

Maximum length: 35

ssl-auth-client *

Require a client certificate and authenticate it with the peer/peergrp.

string

Maximum length: 35

ssl-auth-server *

Authenticate the server's certificate with the peer/peergrp.

string

Maximum length: 35

* This parameter may not exist in some models.

config voip profile

config voip profile

Configure VoIP profiles.

config voip profile
    Description: Configure VoIP profiles.
    edit <name>
        set comment {var-string}
        set feature-set [flow|proxy]
        config msrp
            Description: MSRP.
            set status [disable|enable]
            set log-violations [disable|enable]
            set max-msg-size {integer}
            set max-msg-size-action [pass|block|...]
        end
        config sccp
            Description: SCCP.
            set status [disable|enable]
            set block-mcast [disable|enable]
            set verify-header [disable|enable]
            set log-call-summary [disable|enable]
            set log-violations [disable|enable]
            set max-calls {integer}
        end
        config sip
            Description: SIP.
            set status [disable|enable]
            set rtp [disable|enable]
            set nat-port-range {user}
            set open-register-pinhole [disable|enable]
            set open-contact-pinhole [disable|enable]
            set strict-register [disable|enable]
            set register-rate {integer}
            set register-rate-track [none|src-ip|...]
            set invite-rate {integer}
            set invite-rate-track [none|src-ip|...]
            set max-dialogs {integer}
            set max-line-length {integer}
            set block-long-lines [disable|enable]
            set block-unknown [disable|enable]
            set call-keepalive {integer}
            set block-ack [disable|enable]
            set block-bye [disable|enable]
            set block-cancel [disable|enable]
            set block-info [disable|enable]
            set block-invite [disable|enable]
            set block-message [disable|enable]
            set block-notify [disable|enable]
            set block-options [disable|enable]
            set block-prack [disable|enable]
            set block-publish [disable|enable]
            set block-refer [disable|enable]
            set block-register [disable|enable]
            set block-subscribe [disable|enable]
            set block-update [disable|enable]
            set register-contact-trace [disable|enable]
            set open-via-pinhole [disable|enable]
            set open-record-route-pinhole [disable|enable]
            set rfc2543-branch [disable|enable]
            set log-violations [disable|enable]
            set log-call-summary [disable|enable]
            set nat-trace [disable|enable]
            set subscribe-rate {integer}
            set subscribe-rate-track [none|src-ip|...]
            set message-rate {integer}
            set message-rate-track [none|src-ip|...]
            set notify-rate {integer}
            set notify-rate-track [none|src-ip|...]
            set refer-rate {integer}
            set refer-rate-track [none|src-ip|...]
            set update-rate {integer}
            set update-rate-track [none|src-ip|...]
            set options-rate {integer}
            set options-rate-track [none|src-ip|...]
            set ack-rate {integer}
            set ack-rate-track [none|src-ip|...]
            set prack-rate {integer}
            set prack-rate-track [none|src-ip|...]
            set info-rate {integer}
            set info-rate-track [none|src-ip|...]
            set publish-rate {integer}
            set publish-rate-track [none|src-ip|...]
            set bye-rate {integer}
            set bye-rate-track [none|src-ip|...]
            set cancel-rate {integer}
            set cancel-rate-track [none|src-ip|...]
            set preserve-override [disable|enable]
            set no-sdp-fixup [disable|enable]
            set contact-fixup [disable|enable]
            set max-idle-dialogs {integer}
            set block-geo-red-options [disable|enable]
            set hosted-nat-traversal [disable|enable]
            set hnt-restrict-source-ip [disable|enable]
            set max-body-length {integer}
            set unknown-header [discard|pass|...]
            set malformed-request-line [discard|pass|...]
            set malformed-header-via [discard|pass|...]
            set malformed-header-from [discard|pass|...]
            set malformed-header-to [discard|pass|...]
            set malformed-header-call-id [discard|pass|...]
            set malformed-header-cseq [discard|pass|...]
            set malformed-header-rack [discard|pass|...]
            set malformed-header-rseq [discard|pass|...]
            set malformed-header-contact [discard|pass|...]
            set malformed-header-record-route [discard|pass|...]
            set malformed-header-route [discard|pass|...]
            set malformed-header-expires [discard|pass|...]
            set malformed-header-content-type [discard|pass|...]
            set malformed-header-content-length [discard|pass|...]
            set malformed-header-max-forwards [discard|pass|...]
            set malformed-header-allow [discard|pass|...]
            set malformed-header-p-asserted-identity [discard|pass|...]
            set malformed-header-no-require [discard|pass|...]
            set malformed-header-no-proxy-require [discard|pass|...]
            set malformed-header-sdp-v [discard|pass|...]
            set malformed-header-sdp-o [discard|pass|...]
            set malformed-header-sdp-s [discard|pass|...]
            set malformed-header-sdp-i [discard|pass|...]
            set malformed-header-sdp-c [discard|pass|...]
            set malformed-header-sdp-b [discard|pass|...]
            set malformed-header-sdp-z [discard|pass|...]
            set malformed-header-sdp-k [discard|pass|...]
            set malformed-header-sdp-a [discard|pass|...]
            set malformed-header-sdp-t [discard|pass|...]
            set malformed-header-sdp-r [discard|pass|...]
            set malformed-header-sdp-m [discard|pass|...]
            set provisional-invite-expiry-time {integer}
            set ips-rtp [disable|enable]
            set ssl-mode [off|full]
            set ssl-send-empty-frags [enable|disable]
            set ssl-client-renegotiation [allow|deny|...]
            set ssl-algorithm [high|medium|...]
            set ssl-pfs [require|deny|...]
            set ssl-min-version [ssl-3.0|tls-1.0|...]
            set ssl-max-version [ssl-3.0|tls-1.0|...]
            set ssl-client-certificate {string}
            set ssl-server-certificate {string}
            set ssl-auth-client {string}
            set ssl-auth-server {string}
        end
    next
end

config voip profile

Parameter

Description

Type

Size

Default

comment

Comment.

var-string

Maximum length: 255

feature-set

Flow or proxy inspection feature set.

option

-

proxy

Option

Description

flow

Flow feature set.

proxy

Proxy feature set.

name

Profile name.

string

Maximum length: 35

config msrp

Parameter

Description

Type

Size

Default

status

Enable/disable MSRP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of MSRP violations.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

max-msg-size

Maximum allowable MSRP message size.

integer

Minimum value: 0 Maximum value: 65535

0

max-msg-size-action

Action for violation of max-msg-size.

option

-

pass

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

monitor

Pass and log matching traffic.

config sccp

Parameter

Description

Type

Size

Default

status

Enable/disable SCCP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

block-mcast

Enable/disable block multicast RTP connections.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

verify-header

Enable/disable verify SCCP header content.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-call-summary

Enable/disable log summary of SCCP calls.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of SCCP violations.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

max-calls

Maximum calls per minute per SCCP client (max 65535).

integer

Minimum value: 0 Maximum value: 65535

0

config sip

Parameter

Description

Type

Size

Default

status

Enable/disable SIP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

rtp

Enable/disable create pinholes for RTP traffic to traverse firewall.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

nat-port-range

RTP NAT port range.

user

Not Specified

5117-65533

open-register-pinhole

Enable/disable open pinhole for REGISTER Contact port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

open-contact-pinhole

Enable/disable open pinhole for non-REGISTER Contact port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

strict-register

Enable/disable only allow the registrar to connect.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

register-rate

REGISTER request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

register-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

invite-rate

INVITE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

invite-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

max-dialogs

Maximum number of concurrent calls/dialogs (per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

max-line-length

Maximum SIP header line length.

integer

Minimum value: 78 Maximum value: 4096

998

block-long-lines

Enable/disable block requests with headers exceeding max-line-length.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

block-unknown

Block unrecognized SIP requests.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

call-keepalive

Continue tracking calls with no RTP for this many minutes.

integer

Minimum value: 0 Maximum value: 10080

0

block-ack

Enable/disable block ACK requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-bye

Enable/disable block BYE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-cancel

Enable/disable block CANCEL requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-info

Enable/disable block INFO requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-invite

Enable/disable block INVITE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-message

Enable/disable block MESSAGE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-notify

Enable/disable block NOTIFY requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-options

Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-prack

Enable/disable block prack requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-publish

Enable/disable block PUBLISH requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-refer

Enable/disable block REFER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-register

Enable/disable block REGISTER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-subscribe

Enable/disable block SUBSCRIBE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

block-update

Enable/disable block UPDATE requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

register-contact-trace

Enable/disable trace original IP/port within the contact header of REGISTER requests.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

open-via-pinhole

Enable/disable open pinhole for Via port.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

open-record-route-pinhole

Enable/disable open pinhole for Record-Route port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

rfc2543-branch

Enable/disable support via branch compliant with RFC 2543.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-violations

Enable/disable logging of SIP violations.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

log-call-summary

Enable/disable logging of SIP call summary.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

nat-trace

Enable/disable preservation of original IP in SDP i line.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

subscribe-rate

SUBSCRIBE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

subscribe-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

message-rate

MESSAGE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

message-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

notify-rate

NOTIFY request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

notify-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

refer-rate

REFER request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

refer-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

update-rate

UPDATE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

update-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

options-rate

OPTIONS request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

options-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

ack-rate

ACK request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

ack-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

prack-rate

PRACK request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

prack-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

info-rate

INFO request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

info-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

publish-rate

PUBLISH request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

publish-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

bye-rate

BYE request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

bye-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

cancel-rate

CANCEL request rate limit (per second, per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

cancel-rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

None.

src-ip

Source IP.

dest-ip

Destination IP.

preserve-override

Override i line to preserve original IPS.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

no-sdp-fixup

Enable/disable no SDP fix-up.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

contact-fixup

Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

max-idle-dialogs

Maximum number established but idle dialogs to retain (per policy).

integer

Minimum value: 0 Maximum value: 4294967295

0

block-geo-red-options

Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

hosted-nat-traversal

Hosted NAT Traversal (HNT).

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

hnt-restrict-source-ip

Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.

option

-

disable

Option

Description

disable

Disable status.

enable

Enable status.

max-body-length

Maximum SIP message body length (0 meaning no limit).

integer

Minimum value: 0 Maximum value: 4294967295

0

unknown-header

Action for unknown SIP header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-request-line

Action for malformed request line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-via

Action for malformed VIA header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-from

Action for malformed From header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-to

Action for malformed To header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-call-id

Action for malformed Call-ID header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-cseq

Action for malformed CSeq header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-rack

Action for malformed RAck header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-rseq

Action for malformed RSeq header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-contact

Action for malformed Contact header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-record-route

Action for malformed Record-Route header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-route

Action for malformed Route header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-expires

Action for malformed Expires header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-content-type

Action for malformed Content-Type header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-content-length

Action for malformed Content-Length header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-max-forwards

Action for malformed Max-Forwards header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-allow

Action for malformed Allow header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-p-asserted-identity

Action for malformed P-Asserted-Identity header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-no-require

Action for malformed SIP messages without Require header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-no-proxy-require

Action for malformed SIP messages without Proxy-Require header.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-v

Action for malformed SDP v line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-o

Action for malformed SDP o line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-s

Action for malformed SDP s line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-i

Action for malformed SDP i line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-c

Action for malformed SDP c line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-b

Action for malformed SDP b line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-z

Action for malformed SDP z line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-k

Action for malformed SDP k line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-a

Action for malformed SDP a line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-t

Action for malformed SDP t line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-r

Action for malformed SDP r line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

malformed-header-sdp-m

Action for malformed SDP m line.

option

-

pass

Option

Description

discard

Discard malformed messages.

pass

Bypass malformed messages.

respond

Respond with error code.

provisional-invite-expiry-time

Expiry time for provisional INVITE.

integer

Minimum value: 10 Maximum value: 3600

210

ips-rtp

Enable/disable allow IPS on RTP.

option

-

enable

Option

Description

disable

Disable status.

enable

Enable status.

ssl-mode *

SSL/TLS mode for encryption & decryption of traffic.

option

-

off

Option

Description

off

No SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags *

Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-client-renegotiation *

Allow/block client renegotiation by server.

option

-

allow

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-algorithm *

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-pfs *

SSL Perfect Forward Secrecy.

option

-

allow

Option

Description

require

PFS mandatory.

deny

PFS rejected.

allow

PFS allowed.

ssl-min-version *

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version *

Highest SSL/TLS version to negotiate.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-client-certificate *

Name of Certificate to offer to server if requested.

string

Maximum length: 35

ssl-server-certificate *

Name of Certificate return to the client in every SSL connection.

string

Maximum length: 35

ssl-auth-client *

Require a client certificate and authenticate it with the peer/peergrp.

string

Maximum length: 35

ssl-auth-server *

Authenticate the server's certificate with the peer/peergrp.

string

Maximum length: 35

* This parameter may not exist in some models.