SIP FortiOS 6 Introduction

Introduction

This FortiOS Handbook chapter contains detailed information about how FortiGates processes SIP VoIP calls and how to configure the FortiGate to apply security features to SIP calls. This document describes all FortiGate SIP configuration options and contains detailed configuration examples.

Before you begin

Before you begin to configure VoIP security profiles, including SIP, from the GUI you should go to System > Feature Visibility and turn on VoIP (under Additional Features).

Also, VoIP settings are only available if the FortiGate or current VDOM Inspection Mode is set to Proxy. To view the inspection mode go to System > Settings to confirm that Inspection Mode is set to Proxy. You can also use the following CLI command to change the inspection mode to proxy:

config system settings set inspection-mode proxy

end

The System Information dashboard widget also shows the current Mode.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Inside FortiOS: VoIP Protection introduces FortiOS VoIP Protection

Common SIP VoIP configurations describes some common SIP configurations.

SIP messages and media protocols describes SIP messages and some common SIP media protocols.

The SIP session helper describes how the SIP session helper works and how to configure SIP support using the SIP session helper.

The SIP ALG describes how the SIP Application Layer Gateway (ALG) works and how to configure SIP support using the SIP ALG.

Conflicts between the SIP ALG and the session helper describes how to sort out conflicts between the SIP session helper and the ALG.

Stateful SIP tracking, call termination, and session inactivity timeout describes how the SIP ALG performs SIP stateful tracking, call termination and session activity timeouts.

What’s new in FortiOS 6.0.1                                                                                                                Introduction

SIP and RTP/RTCP describes how SIP relates to RTP and RTCP.

How the SIP ALG creates RTP pinholes describes how the SIP ALG creates pinholes.

Configuration example: SIP in transparent mode describes how to configure a FortiGate in transparent mode to support SIP.

RTP enable/disable (RTP bypass) describes RTP bypass.

Opening and closing SIP register, contact, via and record-route pinholes describes how FortiOS opens and closes these pinholes.

Accepting SIP register responses describes how to enable accepting SIP register responses.

How the SIP ALG performs NAT describes how the SIP ALG performs NAT.

Enhancing SIP pinhole security describes how to open smaller pinholes.

Hosted NAT traversal describes SIP hosted NAT traversal and how to configure it.

SIP over IPv6 describes how to configure SIP over IPv6.

Deep SIP message inspection describes how deep SIP message inspection works.

Blocking SIP request messages describes how to block SIP request messages to prevent some common SIP attacks.

SIP rate limiting includes more options for preventing SIP attacks.

SIP logging describes how to enable SIP logging.

Inspecting SIP over SSL/TLS (secure SIP) describes how to inspection encrypted SIP traffic.

SIP and HA–session failover and geographic redundancy describes how to use FGCP HA to support SIP geographic redundancy.

SIP and IPS describes how to turn on IPS for SIP sessions.

SIP debugging describes some tools for debugging your SIP configuration.

What’s new in FortiOS 6.0.1

VoIP features appear on the GUI when the FortiGate is operating in Flow mode, see Enabling VoIP support from the GUI on page 43.

What’s new in FortiOS 6.0

By default, FortiOS 6.0 disables the SIP session helper, see SIP session helper configuration overview on page 35.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, Fortinet on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.