SIP ALG configuration overview

SIP ALG configuration overview

To apply the SIP ALG, you add a SIP VoIP profile to a security policy that accepts SIP sessions. All SIP sessions accepted by the security policy will be processed by the SIP ALG using the settings in the VoIP profile. The VoIP profile contains settings that are applied to SIP, Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) and Skinny Call Control Protocol (SCCP) sessions. All SCCP sessions accepted by the security policy are also processed byt the ALG. You configure SIP and SCCP settings separately. SIP settings also apply to SIMPLE sessions.

 

Enabling VoIP support on the web-based manager

Before you begin to configure VoIP security options, including SIP, from the web-based manager you should go to System > Feature Select and turn on VoIP (under Additional Features). Also the Inspection Mode must be set to Proxy-based on the System Information dashboard widget.

From the CLI you can also enter the following command to enable VoIP support on the GUI:

config system settings

set gui-voip-profile enable end

 

VoIP profiles

You can customize the default VoIP profile or add new VoIP profiles.

To add a new VoIP profile from the web-based manager go to Security Profiles > VoIP and select Create New (the + button).

For SIP, from the web-based manager you can configure the VoIP profile to limit the number of SIP REGISTER and INVITE requests. Many additional options for configuring how the ALG processes SIP sessions are available from the CLI.

For SCCP you can limit the call setup time. Additional SCCP options are available from the CLI. Use the following command to add a VoIP profile named VoIP_Pro_1 from the CLI:

config voip profile

edit VoIP_Pro_1 end

FortiGate units include two pre-defined VoIP profiles. On the web-based manager these profiles look identical. However, the CLI-only settings result in the following functionality.

default                       The most commonly used VoIP profile. This profile enables both SIP and SCCP and places the minimum restrictions on what calls will be allowed to negotiate. This profile allows normal SCCP, SIP and RTP sessions and enables the following security set- tings:

  • block-long-lines to block SIP messages with lines that exceed maximum line lengths.
  • block-unknown to block unrecognized SIP request messages.
  • open-record-route-pinhole to open pinholes for Record-Route messages.
  • log-violations to write log messages that record SIP violations.
  • log-call-summary to write log messages that record SIP call progress (similar to DLP archiving).
  • nat-trace (see NAT with IP address conservation on page 2794).
  • contact-fixup perform NAT on the IP addresses and port numbers in SIP head- ers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers.
  • ips-rtp to enable IPS in security policies that also accept SIP sessions to protect the SIP traffic from SIP-based attacks.

 

strict

This profile is available for users who want to validate SIP messages and to only allow SIP sessions that are compliant with RFC 3261. In addition to the settings in the default VoIP profile, the strict profile sets all SIP deep message inspection header checking options to discard. So the strict profile blocks and drops SIP messages that contain malformed SIP or SDP lines that can be detected by the ALG. For more information about SIP deep header inspection, see Deep SIP message inspection on page 2808.

Neither of the default profiles applies SIP rate limiting. To apply more ALG features to SIP sessions you can clone (copy) the pre-defined VoIP profiles and make your own modifications to them. You can clone VoIP profiles from the GUI or the CLI. For example, from the CLI, to clone the default profile and configure the limit for SIP NOTIFY request messages to 1000 messages per second per security policy and block SIP INFO request messages.

config voip profile

clone default to my_voip_pro edit my_voip_pro

config sip

set notify-rate 1000 set block-info enable

end end

 

Changing the port numbers that the SIP ALG listens on

Most SIP configurations use TCP or UDP port 5060 for SIP sessions and port 5061 for SIP SSL sessions. If your SIP network uses different ports for SIP sessions you can use the following command to configure the SIP ALG to listen on a different TCP, UDP, or SSL ports. For example, to change the TCP port to 5064, the UDP port to 5065, and the SSL port to 5066.

config system settings set sip-tcp-port 5064 set sip-udp-port 5065 set sip-ssl-port 5066

end

You also configure the SIP ALG to listen in two different TCP ports and two different UDP ports for SIP sessions. For example, if you receive SIP TCP traffic on port 5060 and 5064 and UDP traffic on ports 5061 and 5065 you can enter the following command to receive the SIP traffic on all of these ports:

config system settings

set sip-tcp-port 5060 5064 set sip-udp-port 5061 5065

end

 

Disabling the SIP ALG in a VoIP profile

SIP is enabled by default in a VoIP profile. If you are just using the VoIP profile for SCCP you can use the following command to disable SIP in the VoIP profile.

config voip profile edit VoIP_Pro_2

config sip

set status disable end

 

SIP ALG diagnose commands

You can use the diagnose sys sip-proxy command to display diagnostic information for the SIP ALG. A number of options are avaialble including:

Use the following command to list all active SIP calls being processed by the SIP ALG. You can also use the clear option to delete all active SIP calls being processed by the SIP ALG, the idle option to list idle SIP calls, and the invite option to list SIP intive transations.

diagnose sys sip-proxy calls {clear | list | idle | invite}

Use the following commands to employ filters to display specific information about the SIP ALG and the session that it is processing. You can build up a filter by including a number of options such as source address, VoIP profile, policy, and so on.

diagnose sys sip-proxy filter <filter_options>

 

diagnose sys sip-proxy log-filter <filter_options>

Use the following command to display the active SIP rate limiting meters and their current settings.

diagnose sys sip-proxy meters list

Use the following command to display status information about the SIP sessions being processed by the SIP ALG. You can also clear all SIP ALG statistics.

diagnose sys sip-proxy stats {clear | list}


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “SIP ALG configuration overview

  1. Sufyan

    My sip account is registered successfully but voice is not passing to the other end.

    Can you please send me the steps to resolve this issue.

    Thanks

    Reply
    1. Mike Post author

      Is the issue one way audio? no calls going through at all (no ringing)? Need more details.
      Kernel mode and SIP session helpers are normally our go to items for troubleshooting.

      Reply

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.