Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.9
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.4.9 Administration Guide
    7.4.9
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    SIP ALG and SIP session helper

    SIP ALG and SIP session helper

    The SIP session helper is a legacy solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

    SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

    By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

    To change between SIP ALG mode and SIP session helper mode:
    config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    default-voip-alg-mode {proxy-based | kernel-helper-based}

    Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

    • proxy-based: use SIP ALG to process SIP traffic (default).
    • kernel-helper-based: use the SIP session helper to process SIP traffic.

    The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

    config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

    The following table explains the results of configuring different combinations of the preceding settings.

    Firewall policy setting

    Default VoIP ALG mode setting

    voip-profile

    ips-voip-filter

    kernel-helper-based

    proxy-based

    Yes

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    Yes

    No

    SIP ALG

    SIP ALG

    No

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    No

    No

    SIP session helper

    SIP ALG

    SIP ALG configurations

    SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

    Example 1

    In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 3

    In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

    To configure SIP ALG to implicitly use the default VoIP profile:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile ""
    next
end

    SIP session helper configurations

    In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

    Example 1

    In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-disabled-profile"
        set feature-set voipd
        config sip
            set status disable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile "sip-disabled-profile"
    next
end

    4. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 3

    In certain scenarios, especially when advised by your SIP provider, it may be necessary to disable the SIP ALG and SIP session helper to ensure proper SIP traffic handling and avoid call issues.

    To disable the SIP ALG and SIP session helper from managing SIP traffic:

    1. Identify the SIP session helper entry:

      # show system session-helper

      Look for an entry similar to the following:

      edit 13
    set name sip
    set protocol 17
    set port 5060
next

    2. Once identified, remove the SIP session helper:

      config system session-helper
    delete 13
end

      Repeat this step for other ports if SIP traffic uses different ports.

    3. Change the default SIP mode to set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    4. Inspect the firewall policy that governs SIP traffic:

      # show firewall policy 1
config firewall policy
    edit 1
        set name "voip to internet"
        set srcintf "port1" 
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set voip-profile "default"
        set logtraffic all
        set nat enable
    next
end

      If no VoIP profile is configured in the policy, skip to the next step.

    5. Modify or remove the VoIP profile:

      • Disable SIP ALG in the VoIP profile:

        config voip profile
    edit default
        config sip
            set status disable
            set rtp disable
        end
    next
end

      • Remove the VoIP profile from the firewall policy:

        config firewall policy
    edit 1
        unset voip-profile 
    next
end

    6. To ensure changes take effect, clear any existing SIP sessions:

      # diagnose sys session filter dport 5060
# diagnose sys session clear
# diagnose sys session filter sport 5060
# diagnose sys session clear
      Note

      Clearing sessions on port 5060 will terminate all active SIP calls passing through the FortiGate.

    7. To ensure your FortiGate device is no longer utilizing SIP Session Helper or the SIP ALG, check the active sessions:

      # diagnose sys session list | grep sip

      Check for the following flags:

      Flag

      Description

      ndr

      Flow SIP (IPS) handles the traffic.

      redir and local

      SIP ALG handles the traffic.

      helper=sip

      SIP kernel helper (session-helper) handles the traffic.

      helper=20 or helper=24

      SIP ALG handles the traffic.

      If you see any flags other than ndr, it indicates that either the SIP session helper or the SIP ALG is handling the traffic.

    Modifying the SIP port

    Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

    To change the SIP port:
    config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
    To listen to two TCP and UDP ports:
    config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
    To modify the SIP ports for the default SIP session helper:
    config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
    To add a new session helper to listen on UDP and TCP 5064:
    config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end
    Previous
    Next

    SIP ALG and SIP session helper

    SIP ALG and SIP session helper

    The SIP session helper is a legacy solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes, and by performing NAT of the addresses in SIP messages.

    SIP Application Layer Gateway (ALG) provides the same basic SIP support as the SIP session helper. In addition, SIP ALG provides a wide range of features that protect your network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP and SDP content of SIP messages, and provide detailed logging and reporting of SIP activity.

    By default, all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a VoIP profile, the SIP traffic is processed by the SIP ALG using the default VoIP profile.

    To change between SIP ALG mode and SIP session helper mode:
    config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    default-voip-alg-mode {proxy-based | kernel-helper-based}

    Set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

    • proxy-based: use SIP ALG to process SIP traffic (default).
    • kernel-helper-based: use the SIP session helper to process SIP traffic.

    The default-voip-alg-mode setting works together with the VoIP profile configured in a firewall policy to determine whether SIP ALG, SIP ALG with IPS SIP, or the SIP session helper are used to process the SIP traffic. The following firewall policy settings correspond to the VoIP profiles (see also SIP message inspection and filtering).

    config firewall policy
    edit <id>
        set voip-profile <voipd-based_profile>
        set ips-voip-filter <ips-based_profile>
    next
end

    The following table explains the results of configuring different combinations of the preceding settings.

    Firewall policy setting

    Default VoIP ALG mode setting

    voip-profile

    ips-voip-filter

    kernel-helper-based

    proxy-based

    Yes

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    Yes

    No

    SIP ALG

    SIP ALG

    No

    Yes

    SIP ALG + IPS SIP

    SIP ALG + IPS SIP

    No

    No

    SIP session helper

    SIP ALG

    SIP ALG configurations

    SIP ALG can be enabled in several ways. The following configuration examples demonstrate different settings.

    Example 1

    In this example, a voipd-based profile is configured and applied to a firewall policy. The default-voip-alg-mode remains as the default setting (proxy-based).

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to kernel-helper-based. A VoIP profile (VoIP-Proxy) has SIP enabled and is applied to a firewall policy.

    To configure SIP ALG:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-alg-profile"
        set feature-set voipd
        config sip
            set status enable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile "sip-alg-profile"
    next
end

    Example 3

    In this example, no VoIP profile is selected in the firewall policy. However, the default-voip-alg-mode is set to proxy-based. The default voip-profile is implicitly applied.

    To configure SIP ALG to implicitly use the default VoIP profile:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode proxy-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-Proxy"
        set utm-status enable
        set voip-profile ""
    next
end

    SIP session helper configurations

    In some instances, SIP providers may recommend that customers disable SIP ALG on their edge firewall. This is how you can disable SIP ALG and enable the SIP session helper.

    Example 1

    In this example, the default-voip-alg-mode is set to kernel-helper-based, and a VoIP profile is not applied in a firewall policy. Session helper 13 is enabled by default.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    2. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile ""
    next
end

    3. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 2

    In this example, the default-voip-alg-mode is set to either proxy-based or kernel-helper-based. A VoIP profile that has SIP disabled is applied to the firewall policy.

    To configure the SIP session helper:

    1. Configure the default VoIP ALG mode:

      config system settings
    set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

    2. Configure the VoIP profile:

      config voip profile
    edit "sip-disabled-profile"
        set feature-set voipd
        config sip
            set status disable
        end
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 0
        set name "VoIP-session-helper"
        set utm-status enable
        set voip-profile "sip-disabled-profile"
    next
end

    4. Configure the session helper:

      config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
end

    Example 3

    In certain scenarios, especially when advised by your SIP provider, it may be necessary to disable the SIP ALG and SIP session helper to ensure proper SIP traffic handling and avoid call issues.

    To disable the SIP ALG and SIP session helper from managing SIP traffic:

    1. Identify the SIP session helper entry:

      # show system session-helper

      Look for an entry similar to the following:

      edit 13
    set name sip
    set protocol 17
    set port 5060
next

    2. Once identified, remove the SIP session helper:

      config system session-helper
    delete 13
end

      Repeat this step for other ports if SIP traffic uses different ports.

    3. Change the default SIP mode to set how the FortiGate handles VoIP traffic when a policy that accepts the traffic does not include a VoIP profile.

      config system settings
    set default-voip-alg-mode kernel-helper-based
end

    4. Inspect the firewall policy that governs SIP traffic:

      # show firewall policy 1
config firewall policy
    edit 1
        set name "voip to internet"
        set srcintf "port1" 
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set voip-profile "default"
        set logtraffic all
        set nat enable
    next
end

      If no VoIP profile is configured in the policy, skip to the next step.

    5. Modify or remove the VoIP profile:

      • Disable SIP ALG in the VoIP profile:

        config voip profile
    edit default
        config sip
            set status disable
            set rtp disable
        end
    next
end

      • Remove the VoIP profile from the firewall policy:

        config firewall policy
    edit 1
        unset voip-profile 
    next
end

    6. To ensure changes take effect, clear any existing SIP sessions:

      # diagnose sys session filter dport 5060
# diagnose sys session clear
# diagnose sys session filter sport 5060
# diagnose sys session clear
      Note

      Clearing sessions on port 5060 will terminate all active SIP calls passing through the FortiGate.

    7. To ensure your FortiGate device is no longer utilizing SIP Session Helper or the SIP ALG, check the active sessions:

      # diagnose sys session list | grep sip

      Check for the following flags:

      Flag

      Description

      ndr

      Flow SIP (IPS) handles the traffic.

      redir and local

      SIP ALG handles the traffic.

      helper=sip

      SIP kernel helper (session-helper) handles the traffic.

      helper=20 or helper=24

      SIP ALG handles the traffic.

      If you see any flags other than ndr, it indicates that either the SIP session helper or the SIP ALG is handling the traffic.

    Modifying the SIP port

    Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions, the SIP port can be changed. You can also listen to two TCP and UDP ports .

    To change the SIP port:
    config system settings
    set sip-tcp-port 5064
    set sip-udp-port 5065
    set sip-ssl-port 5066
end
    To listen to two TCP and UDP ports:
    config system settings
    set sip-tcp-port 5060 5064
    set sip-udp-port 5061 5065
end
    To modify the SIP ports for the default SIP session helper:
    config system session-helper
    edit 13
        set name sip
        set protocol 17
        set port 5065
    next
end
    To add a new session helper to listen on UDP and TCP 5064:
    config system session-helper
    edit 0
        set name sip
        set port 5064
    next
end
    Previous
    Next