FortiGate on SIP/ALG/Session Helper

If you are looking for some idea on change/tweak on fortigate for SIP/VoIP traffic,  I believe the below details could give help you a bit of insight on configuring Fortinet for your SIP/VoIP design. I know there are other Fortinet Experts who already shared some idea related to this Topic. This is just my version of the same and with some add-ons!!

When to use”session helper” && “Voip-ALG(Kernel mode)” && “Voip-ALG(Proxy mode)”??

Type of SIP VoIP design:

Peer to peer configuration

SIP proxy server configuration

 

 

SIP redirect server configuration

 

SIP registrar configuration

SIP with a FortiGate running Transparent Mode

 

SIP network with FortiGate running NAT/Route Mode:

 

Tweaking your Fortigate  based on your design requirements for SIP VoIP Traffic :

*SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the “SIP session helper”.

*Session helper + Fortigate VoIP ALG mode “Kernel Mode” = SIP session offload, SDP conversion happens with RTP session pin hole

*Fortigate VoIP ALG mode “Proxy Mode”(ALG)  = More SIP ALG features and RTP Session pin hole.

*Fortigate VoIP ALG mode “kernel Mode” + Disable Session Helper = no SIP ALG on fortigate.

 

By default FortiOS uses the Proxy Mode SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following command:

config system settings

set default-voip-alg-mode kernel-helper-based

end

NOTE: Also remove SIP session helper profile under”config system session-helper”

In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.

 

#Key Things you should understand#

*Controlling NAT for addresses in SDP lines
You can use the no-sdp-fixup option to control whether the Fortigate performs NAT on addresses in SDP lines in the SIP message body.

The no-sdp-fixup option is disabled by default and the FortiGate performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate to perform NAT on the addresses in SDP lines.

config voip profile

edit VoIP_Pro_1

config sip

set no-sdp-fixup enable

end

end

 

*How the SIP ALG performs NAT :

I see this as an important portion to understand atleast while working with fortigate firewalls.

NAT with SIP gets bit complex because of IP and Port Number used in SIP message Header and Bodies. When a SIP caller on private network calls the phone server or SIP phone on internet, the SIP ALG must translate the private network addresses to internet valid IP and port numbers. And when receiving the response message to the caller, the SIP ALG must translate back to valid private network address.

Additionally, the media stream generated by SIP session are independent SIP message and use different port numbers during media session. Based on the information in the SIP message the SIP ALG opens pinholes to accept media stream and perform port translation on media stream.

When SIP ALG receives an INVITE message, fortigate extracts information like port number and IP address and stores it in SIP Dialog table. This is similar to IP session table and this data is used for subsequent SIP message that are part of same call.

ALG then using the information in SDP field helps reserve port number and IP address for media session and create NAT mapping between ports in the SDP field. Normally SDP uses sequential ports for the RTP and RTCP channels and ALG provides consecutive even-odd ports.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s