VoIP Solutions – SIP over TLS

SIP over TLS

Some SIP phones and servers can communicate using TLS to encrypt the SIP signaling traffic. To allow SIP over TLS calls to pass through the FortiGate, the encrypted signaling traffic must be unencrypted and inspected. The FortiGate SIP ALG intercepts, unencrypts , and inspects the SIP packets, which are then re-encrypted and forwarded to their destination.

The SIP ALG only supports full mode TLS. This means that the SIP traffic between SIP phones and the FortiGate, and between the FortiGate and the SIP server, is always encrypted. The highest TLS version supported by SIP ALG is TLS


To enable SIP over TLS support, the SSL mode in the VoIP profile must be set to full. The SSL server and client certificates can be provisioned so that the FortiGate can use them to establish connections to SIP phones and servers, respectively.

To configure SIP over TLS:

  1. Configure a VoIP profile with SSL enabled:

config voip profile edit “tls” config sip set ssl-mode full set ssl-client-certificate “ssl_client_cert” set ssl-server-certificate “ssl_server_cert”




The ssl_server_cert, ssl_client_cert, and key files can be generated using a certification tool, such as OpenSLL, and imported to the local certificate store of the FortiGate from System > Certificates in the GUI. Existing local certificates in the certificate store can also be used. As always for TLS connections, the certificates used must be verified and trusted at the other end of the connection when required.

For example, the CA certificate of the SIP server’s certificate should be imported to the FortiGate as an external CA certification, such that the FortiGate can use it to verify the SIP server’s certificate when setting up the TLS connection. The CA certificate configured as the ssl_server_cert should be installed as the trusted certificate on the SIP phones. The deployment of the certificates across the network depends on the SIP client and server devices that are used in the system.

  1. Apply the profile to the firewall policy:

config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “all” set dstaddr “vip_sip_server” set action accept set schedule “always” set service “SIP” set utm-status enable set voip-profile “tls”

next end


This entry was posted in Administration Guides, FortiGate, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.