Configuration example: SIP session helper in Transparent Mode
The figure below shows an example SIP network consisting of a FortiGate unit operating in Transparent mode between two SIP phones. Since the FortiGate unit is operating in Transparent mode both phones are on the same network and the FortiGate unit and the SIP session helper does not perform NAT. Even though the SIP session helper is not performing NAT you can use this configuration to apply SIP session helper security features to the SIP traffic.
The FortiGate unit requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A.
SIP network with FortiGate unit in Transparent mode
SIP Phone A (PhoneA@10.31.101.20)
in Transparent mode
SIP Phone B (PhoneB@10.31.101.30)
General configuration steps
The following general configuration steps are required for this SIP configuration that uses the SIP session helper. This example includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port
This example assumes that you have entered the following command to enable using the SIP session helper:
config system settings
set default-voip-alg-mode kernel-helper-based end
1. Add firewall addresses for Phone A and Phone B.
2. Add a security policy that accepts SIP sessions initiated by Phone A.
3. Add a security policy that accepts SIP sessions initiated by Phone B.
Configuration steps – web-based manager
To add firewall addresses for the SIP phones
1. Go to Policy & Objects > Addresses.
2. Select Create New > Address to add the following addresses for Phone A and Phone B:
Subnet / IP Range 10.31.101.20/255.255.255.255
Subnet / IP Range 10.31.101.30/255.255.255.255
To add security policies to accept SIP sessions
1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New to add a security policy.
3. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface port1
Outgoing Interface port2
Destination Address Phone_B
4. Select OK.
5. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface port2
Outgoing Interface port1
Source Address Phone_B
Destination Address Phone_A
6. Select OK.
Configuration steps – CLI
To add firewall addresses for Phone A and Phone B and security policies to accept SIP sessions
1. Enter the following command to add firewall addresses for Phone A and Phone B.
config firewall address edit Phone_A
set associated interface port1 set type ipmask
set subnet 10.31.101.20 255.255.255.255 next
set associated interface port2 set type ipmask
set subnet 10.31.101.30 255.255.255.255 end
2. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B
and Phone B to send SIP request messages to Phone A.
config firewall policy edit 0
set srcintf port1 set dstintf port2 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP
next edit 0
set srcintf port2 set dstintf port1 set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP
set utm-status enable
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!