Configuration example: SIP session helper in Transparent Mode

Configuration example: SIP session helper in Transparent Mode

The figure below shows an example SIP network consisting of a FortiGate unit operating in Transparent mode between two SIP phones. Since the FortiGate unit is operating in Transparent mode both phones are on the same network and the FortiGate unit and the SIP session helper does not perform NAT. Even though the SIP session helper is not performing NAT you can use this configuration to apply SIP session helper security features to the SIP traffic.

The FortiGate unit requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A.

 

SIP network with FortiGate unit in Transparent mode

 

o

Po                                                         P

rt2

SIP Phone A (PhoneA@10.31.101.20)

 

 

 

rt1                                                     P

FortiGate unit

in Transparent mode

SIP Phone B (PhoneB@10.31.101.30)

 

 

General configuration steps

The following general configuration steps are required for this SIP configuration that uses the SIP session helper. This example includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port

5060.

 

This example assumes that you have entered the following command to enable using the SIP session helper:

config system settings

set default-voip-alg-mode kernel-helper-based end

1. Add firewall addresses for Phone A and Phone B.

2. Add a security policy that accepts SIP sessions initiated by Phone A.

3. Add a security policy that accepts SIP sessions initiated by Phone B.

 

Configuration steps – web-based manager

 

To add firewall addresses for the SIP phones

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address to add the following addresses for Phone A and Phone B:

Category                                     Address

Name                                          Phone_A

Type                                            IP/Netmask

Subnet / IP Range                     10.31.101.20/255.255.255.255

Interface                                     port1

Category                                     Address

Name                                          Phone_B

Type                                            IP/Netmask

Subnet / IP Range                     10.31.101.30/255.255.255.255

Interface                                     port2

 

To add security policies to accept SIP sessions

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New to add a security policy.

3. Add a security policy to allow Phone A to send SIP request messages to Phone B:

Incoming Interface                   port1

Outgoing Interface                   port2

Source                                        Phone_A

Destination Address                 Phone_B

Schedule                                    always

Service                                       SIP

Action                                         ACCEPT

4. Select OK.

5. Add a security policy to allow Phone B to send SIP request messages to Phone A:

Incoming Interface                   port2

Outgoing Interface                   port1

Source Address                        Phone_B

Destination Address                 Phone_A

Schedule                                    always

Service                                       SIP

Action                                         ACCEPT

6. Select OK.

 

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to accept SIP sessions

1. Enter the following command to add firewall addresses for Phone A and Phone B.

config firewall address edit Phone_A

set associated interface port1 set type ipmask

set subnet 10.31.101.20 255.255.255.255 next

edit Phone_B

set associated interface port2 set type ipmask

set subnet 10.31.101.30 255.255.255.255 end

2. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B

and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0

set srcintf port1 set dstintf port2 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP

next edit 0

set srcintf port2 set dstintf port1 set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP

set utm-status enable

end

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.