FortiGate on SIP/ALG/Session Helper

If you are looking for some idea on change/tweak on fortigate for SIP/VoIP traffic,  I believe the below details could give help you a bit of insight on configuring Fortinet for your SIP/VoIP design. I know there are other Fortinet Experts who already shared some idea related to the this. This is just my version of the same and with some add-ons!!

When to use”session helper” && “Voip-ALG(Kernel mode)” && “Voip-ALG(Proxy mode)”??

Type of SIP VoIP design:

Peer to peer configuration

SIP proxy server configuration



SIP redirect server configuration


SIP registrar configuration

SIP with a FortiGate running Transparent Mode


SIP network with FortiGate running NAT/Route Mode:


Tweaking your Fortigate  based on your design requirements for SIP VoIP Traffic :

*SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the “SIP session helper”.

*Session helper + Fortigate VoIP ALG mode “Kernel Mode” = SIP session offload, SDP conversion happens with RTP session pin hole

*Fortigate VoIP ALG mode “Proxy Mode”(ALG)  = More SIP ALG features and RTP Session pin hole.


By default FortiOS uses the Proxy Mode SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following command:

config system settings

set default-voip-alg-mode kernel-helper-based


In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.


#Key Things you should understand#

*Controlling NAT for addresses in SDP lines
You can use the no-sdp-fixup option to control whether the Fortigate performs NAT on addresses in SDP lines in the SIP message body.

The no-sdp-fixup option is disabled by default and the FortiGate performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate to perform NAT on the addresses in SDP lines.

config voip profile

edit VoIP_Pro_1

config sip

set no-sdp-fixup enable




*How the SIP ALG performs NAT :

I see this as an important portion to understand atleast while working with fortigate firewalls.

Using NAT with SIP is more complex because of the IP addresses and media stream port numbers used in SIP message headers and bodies. When a caller on the private network sends a SIP message to a phone or SIP server on the Internet, the SIP ALG must translate the private network addresses in the SIP message to IP addresses and port numbers that are valid on the Internet. When the response message is sent back to the caller, the SIP ALG must translate these addresses back to valid private network addresses.

In addition, the media streams generated by the SIP session are independent of the SIP message sessions and use varying port numbers that can also change during the media session. The SIP ALG opens pinholes to accept these media sessions, using the information in the SIP messages to determine the pinholes to open. The ALG may also perform port translation on the media sessions.

When an INVITE message is received by the SIP ALG, the FortiGate extracts addressing and port number information from the message header and stores it in a SIP dialog table. Similar to an IP session table the data in the dialog table is used to translate addresses in subsequent SIP messages that are part of the same SIP call.

When the SIP ALG receives a response to the INVITE message arrives, (for example, an ACK or 200 OK), the SIP ALG compares the addresses in the message fields against the entries in the SIP dialog table to identify the call context of the message. The SIP ALG then translates addresses in the SIP message before forwarding them to their destination.

The addressing and port number information in SDP fields is used by the ALG to reserve ports for the media session and create a NAT mapping between them and the ports in the SDP fields. Because SDP uses sequential ports for the RTP and RTCP channels, the ALG provides consecutive even-odd ports.




COA | Change Of Authorization

COA | Change of authorization
RFC 3576
UDP port 3766 | IEEE

>Change of authorization is used to ask NETWORK SWITCH/ROUTER/WIFI-CONTROLLER to disconnect-user, session timeout, bounce port of the existing user session on network.
>Mostly AAA server is user to record the user accounting information and based on the user activity or time the user is then disconnected from the network or session timed out.
>The Network device will send the accounting information to a AAA server.
>The AAA server keeps track of user information like Device MAC-ADDRESS, User SESSION-ID, USERNAME, FRAMED-IP-ADDRESS and more based on what it gets from accounting request.
>The radius accounting request traffic will be send only after a successful authentication.
>You could configure to send interim accounting update about the user to accounting server.This interim update can help in scenarios where you want to disconnect the user after usage of certain amount of bandwidth in network. Default time:300 Sec

#Things to remember while working on a COA setup:
>Make sure the network device is configured to accept the COA request from COA server on respected port.
>NAS devices wants to see particular attriutes in COA request to identify the user session and perform COA, So sending the right attributes on COA request is important and it depends on the NAS device vendor.
>The expected COA user identification attribute might be different for a Captive portal authenticated user and Dot1.x user.
>Some vendor ignote the unsupported or unknown attributes in COA request and still ACK your COA request. However some vendor devices dont like you sending a unsupported COA attributes, so they respond with disconnect-NAK
#Here in case of Fortigate Firewall you might need to send the right COA supported attribute to identify the user session.

*supported attributes: WPA-Enterprise&UserGroup and Captive Portal supports:

*User-name” and “Frame-ip” were supported in DM request and both MUST be involved, other attributes like “Calling-Station-Id”, “Called-Station-Id” could not be supported and would cause 503 error message.
*The attributes “EVENT_TIMESTAMP” and “MESSAGE_AUTHENTICATOR” are options.
*Note: Supported attributes as on the latest firmware v5.4


The mobility controller supports the following attributes for identifying the users who authenticate with an RFC 3576 server:

* user-name: Name of the user to be authenticated.
* framed-ip-address: User’s IP address.
* calling-station-id: Phone number of a station that originated a call.
* accounting-session-id: Unique accounting ID for the user session

–> Other attribute might cause 503 error.

#Other ports to Remember:
*Radus Accounting request and Response is on UDP1813
*Radius Authentication is on UDP1812

#Some snapshots attached here to see what’s there inside Disconnect-request,Disconnect-,ACK,Disconnect-NAK.

Accounting Request:


Disconnect Request:






If would like to look at the entire pcap, let me know I can share with your guys.


Configuring your Fortigate for Higher cipher and SSL/TLS protocol

From version 5.4 onwords you  can control on setting  Encryption and Decryption to Highest Cipher for SSLVPN

FG08XXXXXXXXXX # config vpn ssl settings
FG080XXXXXXXXX (settings) #
FG080XXXXXXXXX (settings) # set banned-cipher
RSA         Ban the use of cipher suites using RSA key.
DH          Ban the use of cipher suites using DH.
DHE         Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH        Ban the use of cipher suites using ECDH key exchange.
ECDHE       Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS         Ban the use of cipher suites using DSS authentication.
ECDSA       Ban the use of cipher suites using ECDSA authentication.
AES         Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM      Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA    Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES        Ban the use of cipher suites using triple DES
SHA1        Ban the use of cipher suites using SHA1.
SHA256      Ban the use of cipher suites using SHA256.
SHA384      Ban the use of cipher suites using SHA384.

#To set the SSL/TLS protocol versions for ADMIN and SSL VPN


>>Allow only TLS 1.2:
       # config system global
       # set admin-https-ssl-versions tlsv1-2
       # end
>>Disable everything except TLS 1.2 as go to high algorithm:
       # config vpn ssl settings
       # set tlsv1-0 disable
       # set tlsv1-1 disable
       # set sslv3 disable
       # set algorithm high
       # end
>>Whats with setting the algorithm on HIGH/LOW/MEDIUM:
The default option of Medium at RC4 (128 bits) is acceptable, but the High option, AES (128/256 bits) and 3DES is more secure. The Low option, RC4 (64 bits), DES and higher does not meet PCI DSS requirements
>>Configure the system to use strong crypto:
   # config system global
       # set strong-crypto enable
       # end
Note: Enabling strong crypto will disable using SSLV3 and TLSv1.0. So its  TLSv1.1 and TLSv1.2