The SIP session helper
The SIP session-helper is a high-performance solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes and by performing NAT of the addresses in SIP messages.
The SIP session helper:
- Understands SIP dialog messages. l Keeps the states of the SIP transactions between SIP UAs and SIP servers. l Translates SIP header and SDP information to account for NAT operations performed by the FortiGate. l Opens up and closes dynamic SIP pinholes for SIP signaling traffic. l Opens up and closes dynamic RTP and RTSP pinholes for RTP and RTSP media traffic.
- Provides basic SIP security as an access control device.
- Uses the intrusion protection (IPS) engine to perform basic SIP protocol checks.
SIP session helper configuration overview
By default FortiOS uses the SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following commands to disable the SIP ALG and to enable the SIP session helper:
config system settings set default-voip-alg-mode kernel-helper-based set sip-helper enable
end
The SIP session helper is disabled by default and must be enabled for the SIP session helper to process VoIP traffic. The SIP session help is set to listen for SIP traffic on TCP or UDP port 5060. SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the SIP session helper.
You might want to disable the SIP session helper and the SIP ALG if you don’t want the FortiGate to apply NAT or other SIP session helper features to SIP traffic. With the SIP session helper and the SIP ALG disabled, the FortiGate can still accept SIP sessions if they are allowed by a security policy, but the FortiGate will not be able to open pinholes or NAT the addresses in the SIP messages.
You can enable and disable the SIP session helper, change the TCP or UDP port that the session helper listens on for SIP traffic, and enable or disable SIP NAT tracing. If the FortiGate is operating with multiple VDOMs, each VDOM can have a different SIP session helper configuration.
To have the SIP session helper process SIP sessions you need to add a security policy that accepts SIP sessions on the configured SIP UDP or TCP ports. The security policies can have service set to ANY, or to the SIP predefined firewall service, or a custom firewall service. The SIP pre-defined firewall service restricts the security policy to only accepting sessions on UDP port 5060.
If NAT is enabled for security policies that accept SIP traffic, the SIP session helper translates addresses in SIP headers and in the RDP profile and opens up pinholes as required for the SIP traffic. This includes security policies that perform source NAT and security policies that contain virtual IPs that perform destination NAT and port forwarding. No special SIP configuration is required for this address translation to occur, it is all handled
Viewing, removing, and adding the SIP session helper configuration
automatically by the SIP session helper according to the NAT configuration of the security policy that accepts the SIP session.
To use the SIP session helper you must not add a VoIP profile to the security policy. If you add a VoIP profile, SIP traffic bypasses the SIP session helper and is processed by the SIP ALG.
In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.
Viewing, removing, and adding the SIP session helper configuration
Enter the following command to find the sip session helper entry in the session-helper list:
show system session-helper .
.
.
edit 13 set name sip set port 5060 set protocol 17
next .
. .
This command output shows that the sip session helper listens on UDP port 5060 for SIP sessions.
Enter the following command to delete session-helper list entry number 13:
config system session-helper delete 13
end
If you want to use the SIP session helper you can verify whether it is available using the show system session-helper command.
If the SIP session helper has been removed from the session-helper list you can use the following command to add it back to the session helper list:
config system session-helper edit 0 set name sip set port 5060 set protocol 17
end
Changing the port numbers that the SIP session helper listens on
You can use the following command to change the port number that the SIP session helper listens on for SIP traffic to 5064. The SIP session helper listens on the same port number for UDP and TCP SIP sessions. In this The SIP session helper Configuration example: SIP session helper in transparent mode
example, the SIP session helper is session helper 13:
config system session-helper edit 13 set port 5064
end
The config system settings options sip-tcp-port, sip-udp-port, and sip-ssl-port control the ports that the SIP ALG listens on for SIP sessions. See Changing the port numbers that the SIP ALG listens on on page 45.
Your FortiGate may use a different session helper number for SIP. Enter the following command to view the session helpers:
show system session-helper .
. .
edit 13 set name sip set port 5060 set protocol 17
end .
. .
Configuration example: SIP session helper in transparent mode
The figure below shows an example SIP network consisting of a FortiGate operating in transparent mode between two SIP phones. Since the FortiGate is operating in transparent mode both phones are on the same network and the FortiGate and the SIP session helper does not perform NAT. Even though the SIP session helper is not performing NAT you can use this configuration to apply SIP session helper security features to the SIP traffic.
The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. SIP network with FortiGate in transparent mode
transparent mode
Configuration example: SIP session helper in transparent mode
General configuration steps
The following general configuration steps are required for this SIP configuration that uses the SIP session helper. This example includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.
This example assumes that you have entered the following command to enable using the SIP session helper:
config system settings set default-voip-alg-mode kernel-helper-based
end
- Add firewall addresses for Phone A and Phone B.
- Add a security policy that accepts SIP sessions initiated by Phone A. Add a security policy that accepts SIP sessions initiated by Phone B.
Configuration steps – GUI
To add firewall addresses for the SIP phones
- Go to Policy & Objects > Addresses.
- Select Create New > Address to add the following addresses for Phone A and Phone B:
| Category | Address |
| Name | Phone_A |
| Type | IP/Netmask |
| Subnet / IP Range | 10.31.101.20/255.255.255.255 |
| Interface | port1 |
| Category | Address |
| Name | Phone_B |
| Type | IP/Netmask |
| Subnet / IP Range | 10.31.101.30/255.255.255.255 |
| Interface | port2 |
To add security policies to accept SIP sessions
- Go to Policy & Objects > IPv4 Policy.
- Select Create New to add a security policy.
- Add a security policy to allow Phone A to send SIP request messages to Phone B:
| Incoming Interface | port1 |
| Outgoing Interface | port2 |
| Source | Phone_A |
| Destination Address | Phone_B |
| Schedule | always |
| Service | SIP |
| Action | ACCEPT |
- Select OK.
- Add a security policy to allow Phone B to send SIP request messages to Phone A:
| Incoming Interface | port2 |
| Outgoing Interface | port1 |
| Source Address | Phone_B |
| Destination Address | Phone_A |
| Schedule | always |
| Service | SIP |
| Action | ACCEPT |
- Select OK.
Configuration steps – CLI
To add firewall addresses for Phone A and Phone B and security policies to accept SIP sessions
- Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface port1 set type ipmask
set subnet 10.31.101.20 255.255.255.255
next edit Phone_B set associated interface port2 set type ipmask
set subnet 10.31.101.30 255.255.255.255 end
SIP session helper diagnose commands
- Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.
config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP
next edit 0 set srcintf port2 set dstintf port1 set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set utm-status enable end
SIP session helper diagnose commands
You can use the diagnose sys sip commands to display diagnostic information for the SIP session helper.
Use the following command to set the debug level for the SIP session helper. Different debug masks display different levels of detail about SIP session helper activity.
diagnose sys sip debug-mask <debug_mask_int>
Use the following command to display the current list of SIP dialogs being processed by the SIP session help. You can also use the clear option to delete all active SIP dialogs being processed by the SIP session helper.
diagnose sys sip dialog {clear | list}
Use the following command to display the current list of SIP NAT address mapping tables being used by the SIP session helper.
diagnose sys sip mapping list
Use the following command to display the current SIP session helper activity including information about the SIP dialogs, mappings, and other SIP session help counts. This command can be useful to get an overview of what the SIP session helper is currently doing.
diagnose sys sip status
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!