Chapter 29 – VoIP Solutions: SIP
This FortiOS Handbook chapter contains the following sections: FortiGate VoIP solutions–SIP describes FortiGate SIP support.
FortiGate VoIP solutions–SIP
The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used for establishing, conducting, and terminating multiuser multimedia sessions over TCP/IP networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used for establishing streaming communication between end points.
SIP employs a request and response transaction model similar to HTTP for communicating between endpoints. SIP sessions being with a SIP client sending a SIP request message to another client to initiate a multimedia session. The other client responds with a SIP response message. Using these request and response messages, the clients engage in a SIP dialog to negotiate how to communicate and then start, maintain, and end the communication session.
SIP commonly uses TCP or UDP port 5060 and/or 5061. Port 5060 is used for non-encrypted SIP signaling sessions and port 5061 is typically used for SIP sessions encrypted with SSL or TLS.
Devices involved in SIP communications are called SIP User Agents (UAs) (also sometimes called a User Element (UE)). UAs include User Agent Clients (UACs) that communicate with each other and User Agent Servers (UASs) that facilitate communication between UACs. For a VoIP application, an example of a UAC would be a SIP phone and an example of a UAS would be a SIP proxy server.
A SIP message contain headers that include client and server names and addresses required for the communication sessions. The body of a SIP message contains Session Description Protocol (SDP) statements that establish the media communication (port numbers, protocols and codecs) that the SIP UAs use. SIP VoIP most commonly uses the Real Time Protocol (RTP) and the Real Time Control Protocol (RTCP) for voice communication. Once the SIP dialog establishes the SIP call the VoIP stream can run independently, although SIP messages can affect the VoIP stream by changing port numbers or addresses and by ending it.
Once SIP communication and media settings are established, the UAs communicate with each using the established media settings. When the communication session is completed, one of the UAs ends the session by sending a final SIP request message and the other UA sends a SIP response message and both UAs end the SIP call and stop the media stream.
FortiGate units provide security for SIP communications using the SIP session helper and the SIP ALG:
- The SIP session-helper provides basic high-performance support for SIP calls passing through the FortiGate unit by opening SIP and RTP pinholes and performing source and destination IP address and port translation for SIP and RTP packets and for the IP addresses and port numbers in the SIP headers and the SDP body of the SIP messages. For more about the SIP session helper, see The SIP session helper on page 2753.
- The SIP Application Layer Gateway (ALG) provides the same features as the session helper plus additional advanced features such as deep SIP message inspection, SIP logging, SIP IPv6 support, SIP message checking, HA failover of SIP sessions, and SIP rate limiting. For more about the SIP ALG, see The SIP ALG on page 2759.
All SIP traffic is processed by the SIP ALG by default. You can change the default setting using the following command:
config system settings
set default-voip-alg-mode {proxy-based | kernel-helper-based}
end
The default is proxy-based, which means the SIP ALG is used. If set to kernel-helper-based, the SIP session helper is used. If a SIP session is accepted by a firewall policy with a VoIP profile, the session is processed using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.
If a SIP session is accepted by a firewall policy that does not include a VoIP profile:
- If default-voip-alg-mode is set to proxy-based, SIP traffic is processed by the SIP ALG using the default VoIP profile.
- If default-voip-alg-mode is set to kernel-helper-based, SIP traffic is processed by the SIP session helper. If the SIP session help has been removed, then no SIP processing takes place.
On a FortiGate unit with multiple VDOMs, whether to use the ALG or the session helper is set per-VDOM.
There are a large number of SIP-related Internet Engineering Task Force (IETF) documents (Request for Comments) that define behavior of SIP and related applications. FortiGate units provide complete support of RFC 3261 for SIP, RFC 4566 for SDP and RFC 3262 for Provisional Response Acknowledgment (PRACK). FortiGate units also provide support for other SIP and SIP-related RFCs and performs Deep SIP message inspection on page 2808 for SIP statements defined in other SIP RFCs.