Fortinet black logo

Handbook

Configuring deep SIP message inspection

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:314484
Download PDF

Configuring deep SIP message inspection

You configure deep SIP message inspection in a VoIP profile. All deep SIP message inspection options are available only from the CLI.

Enter the following command to configure deep SIP message inspection to discard messages with malformed Request-lines (the first line in a SIP request message):

config voip profile

edit VoIP_Pro_Name

config sip

set malformed-request-line respond

end

end

note icon You cannot configure message inspection for the Status-line, which is the first line in a SIP response message.

The following table lists the SIP header lines that the SIP ALG can inspect and the CLI command for configuring the action for each line type. The table also lists the RFC that the header line is defined in.

SIP header lines that the SIP ALG can inspect for syntax errors
SIP Header line VoIP profile option RFC
Allow malformed-header-allow RFC 3261
Call-ID malformed-header-call-id RFC 3261
Contact malformed-header-contact RFC 3261
Content-Length malformed-header-content-length RFC 3261
Content-Type malformed-header-content-type RFC 3261
CSeq malformed-header-cseq RFC 3261
Expires malformed-header-expires RFC 3261
From malformed-header-from RFC 3261
Max-forwards malformed-header-max-forwards RFC 3261
P-Asserted-Identity malformed-header-p-asserted-identity RFC 3325
RAck malformed-header-rack RFC 3262
Record-Route malformed-header-record-route RFC 3261
Route malformed-header-route RFC 3261
RSeq malformed-header-rseq RFC 3262
To malformed-header-to RFC 3261
Via malformed-header-via RFC 3261

The table below lists the SDP profile lines that the SIP ALG inspects and the CLI command for configuring the action for each line type. SDP profile lines are defined by RFC 4566 and RFC 2327.

SDP profile lines that the SIP ALG can inspect for syntax errors
Attribute VoIP profile option
a= malformed-header-sdb-a
b= malformed-header-sdp-b
c= malformed-header-sdp-c
i= malformed-header-sdp-i
k= malformed-header-sdp-k
m= malformed-header-sdp-m
o= malformed-header-sdp-o
r= malformed-header-sdp-r
s= malformed-header-sdp-s
t= malformed-header-sdp-t
v= malformed-header-sdp-v
z= malformed-header-sdp-z

Discarding SIP messages with some malformed header and body lines

Enter the following command to configure deep SIP message inspection to discard SIP messages with a malformed Via line, a malformed route line or a malformed m= line but to pass messages with a malformed i= line or a malformed Max-Forwards line

config voip profile

edit VoIP_Pro_Name

config sip

set malformed-header-via discard

set malformed-header-route discard

set malformed-header-sdp-m discard

set malformed-header-sdp-i pass

set malformed-header-max-forwards pass

end

end

Discarding SIP messages with an unknown SIP message type

Enter the following command to discard SIP messages with an unknown SIP message line type as defined in all current SIP RFCs:

config voip profile

edit VoIP_Pro_Name

config sip

set unknown-header discard

end

end

Discarding SIP messages that exceed a message size

Enter the following command to set the maximum size of a SIP message to 200 bytes. Messages longer than 200 bytes are discarded.

config voip profile

edit VoIP_Pro_Name

config sip

set max-body-length 200

end

end

The max-body-length option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP message sizes vary widely. The size of a SIP message can also change with the addition of Via and Record-Route headers as the message is transmitted between users and SIP servers.

Discarding SIP messages with lines longer than 500 characters

Enter the following command to set the length of a SIP message line to 500 characters and to block messages that include lines with 500 or more characters:

config voip profile

edit VoIP_Pro_Name

config sip

set max-line-length 500

set block-long-lines enable

end

end

Configuring deep SIP message inspection

You configure deep SIP message inspection in a VoIP profile. All deep SIP message inspection options are available only from the CLI.

Enter the following command to configure deep SIP message inspection to discard messages with malformed Request-lines (the first line in a SIP request message):

config voip profile

edit VoIP_Pro_Name

config sip

set malformed-request-line respond

end

end

note icon You cannot configure message inspection for the Status-line, which is the first line in a SIP response message.

The following table lists the SIP header lines that the SIP ALG can inspect and the CLI command for configuring the action for each line type. The table also lists the RFC that the header line is defined in.

SIP header lines that the SIP ALG can inspect for syntax errors
SIP Header line VoIP profile option RFC
Allow malformed-header-allow RFC 3261
Call-ID malformed-header-call-id RFC 3261
Contact malformed-header-contact RFC 3261
Content-Length malformed-header-content-length RFC 3261
Content-Type malformed-header-content-type RFC 3261
CSeq malformed-header-cseq RFC 3261
Expires malformed-header-expires RFC 3261
From malformed-header-from RFC 3261
Max-forwards malformed-header-max-forwards RFC 3261
P-Asserted-Identity malformed-header-p-asserted-identity RFC 3325
RAck malformed-header-rack RFC 3262
Record-Route malformed-header-record-route RFC 3261
Route malformed-header-route RFC 3261
RSeq malformed-header-rseq RFC 3262
To malformed-header-to RFC 3261
Via malformed-header-via RFC 3261

The table below lists the SDP profile lines that the SIP ALG inspects and the CLI command for configuring the action for each line type. SDP profile lines are defined by RFC 4566 and RFC 2327.

SDP profile lines that the SIP ALG can inspect for syntax errors
Attribute VoIP profile option
a= malformed-header-sdb-a
b= malformed-header-sdp-b
c= malformed-header-sdp-c
i= malformed-header-sdp-i
k= malformed-header-sdp-k
m= malformed-header-sdp-m
o= malformed-header-sdp-o
r= malformed-header-sdp-r
s= malformed-header-sdp-s
t= malformed-header-sdp-t
v= malformed-header-sdp-v
z= malformed-header-sdp-z

Discarding SIP messages with some malformed header and body lines

Enter the following command to configure deep SIP message inspection to discard SIP messages with a malformed Via line, a malformed route line or a malformed m= line but to pass messages with a malformed i= line or a malformed Max-Forwards line

config voip profile

edit VoIP_Pro_Name

config sip

set malformed-header-via discard

set malformed-header-route discard

set malformed-header-sdp-m discard

set malformed-header-sdp-i pass

set malformed-header-max-forwards pass

end

end

Discarding SIP messages with an unknown SIP message type

Enter the following command to discard SIP messages with an unknown SIP message line type as defined in all current SIP RFCs:

config voip profile

edit VoIP_Pro_Name

config sip

set unknown-header discard

end

end

Discarding SIP messages that exceed a message size

Enter the following command to set the maximum size of a SIP message to 200 bytes. Messages longer than 200 bytes are discarded.

config voip profile

edit VoIP_Pro_Name

config sip

set max-body-length 200

end

end

The max-body-length option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP message sizes vary widely. The size of a SIP message can also change with the addition of Via and Record-Route headers as the message is transmitted between users and SIP servers.

Discarding SIP messages with lines longer than 500 characters

Enter the following command to set the length of a SIP message line to 500 characters and to block messages that include lines with 500 or more characters:

config voip profile

edit VoIP_Pro_Name

config sip

set max-line-length 500

set block-long-lines enable

end

end