Session helpers

Session helpers

The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to.

Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. But the packets that carry the actual conversation can use a variety of UDP protocols with a variety of source and destination port numbers. The information about the protocols and port numbers used for a SIP call is contained in the body of the SIP TCP control packets. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.

FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall.


This section includes the topics:

  • Viewing the session helper configuration
  • Changing the session helper configuration
  • DCE-RPC session helper (dcerpc)
  • DNS session helpers (dns-tcp and dns-udp)
  • File transfer protocol (FTP) session helper (ftp)
  • H.245 session helpers (h245I and h245O)
  • H.323 and RAS session helpers (h323 and ras)
  • Media Gateway Controller Protocol (MGCP) session helper (mgcp)
  • ONC-RPC portmapper session helper (pmap)
  • PPTP session helper for PPTP traffic (pptp)
  • Remote shell session helper (rsh)
  • Real-Time Streaming Protocol (RTSP) session helper (rtsp)
  • Session Initiation Protocol (SIP) session helper (sip)
  • Trivial File Transfer Protocol (TFTP) session helper (tftp)
  • Oracle TNS listener session helper (tns)


Viewing the session helper configuration

You can view the session helpers enabled on your FortiGate unit in the CLI using the commands below. The following output shows the first two session helpers. The number of session helpers can vary to around 20.

show system session-helper config system session-helper

edit 1

set name pptp

set port 1723 set protocol 6


set name h323 set port 1720 set protocol 6





The configuration for each session helper includes the name of the session helper and the port and protocol number on which the session helper listens for sessions. Session helpers listed on protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol numbers see Assigned Internet Protocol Numbers.

For example, the output above shows that FortiOS listens for PPTP packets on TCP port 1723 and H.323 packets on port TCP port 1720.

If a session helper listens on more than one port or protocol the more than one entry for the session helper appears in the config system session-helper list. For example, the pmap session helper appears twice because it listens on TCP port 111 and UDP port 111. The rsh session helper appears twice because it listens on TCP ports 514 and 512.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.