The SIP session helper

The SIP session helper

The SIP session-helper is a high-performance solution that provides basic support for SIP calls passing through the FortiGate by opening SIP and RTP pinholes and by performing NAT of the addresses in SIP messages.

The SIP session helper:

  • Understands SIP dialog messages. l Keeps the states of the SIP transactions between SIP UAs and SIP servers. l Translates SIP header and SDP information to account for NAT operations performed by the FortiGate. l Opens up and closes dynamic SIP pinholes for SIP signaling traffic. l Opens up and closes dynamic RTP and RTSP pinholes for RTP and RTSP media traffic.
  • Provides basic SIP security as an access control device.
  • Uses the intrusion protection (IPS) engine to perform basic SIP protocol checks.

SIP session helper configuration overview

By default FortiOS uses the SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following commands to disable the SIP ALG and to enable the SIP session helper:

config system settings set default-voip-alg-mode kernel-helper-based set sip-helper enable

end

The SIP session helper is disabled by default and must be enabled for the SIP session helper to process VoIP traffic. The SIP session help is set to listen for SIP traffic on TCP or UDP port 5060. SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the SIP session helper.

You might want to disable the SIP session helper and the SIP ALG if you don’t want the FortiGate to apply NAT or other SIP session helper features to SIP traffic. With the SIP session helper and the SIP ALG disabled, the FortiGate can still accept SIP sessions if they are allowed by a security policy, but the FortiGate will not be able to open pinholes or NAT the addresses in the SIP messages.

You can enable and disable the SIP session helper, change the TCP or UDP port that the session helper listens on for SIP traffic, and enable or disable SIP NAT tracing. If the FortiGate is operating with multiple VDOMs, each VDOM can have a different SIP session helper configuration.

To have the SIP session helper process SIP sessions you need to add a security policy that accepts SIP sessions on the configured SIP UDP or TCP ports. The security policies can have service set to ANY, or to the SIP predefined firewall service, or a custom firewall service. The SIP pre-defined firewall service restricts the security policy to only accepting sessions on UDP port 5060.

If NAT is enabled for security policies that accept SIP traffic, the SIP session helper translates addresses in SIP headers and in the RDP profile and opens up pinholes as required for the SIP traffic. This includes security policies that perform source NAT and security policies that contain virtual IPs that perform destination NAT and port forwarding. No special SIP configuration is required for this address translation to occur, it is all handled

 

Viewing, removing, and adding the SIP session helper configuration

automatically by the SIP session helper according to the NAT configuration of the security policy that accepts the SIP session.

To use the SIP session helper you must not add a VoIP profile to the security policy. If you add a VoIP profile, SIP traffic bypasses the SIP session helper and is processed by the SIP ALG.

In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.

Viewing, removing, and adding the SIP session helper configuration

Enter the following command to find the sip session helper entry in the session-helper list:

show system session-helper .

.

.

edit 13 set name sip set port 5060 set protocol 17

next .

. .

This command output shows that the sip session helper listens on UDP port 5060 for SIP sessions.

Enter the following command to delete session-helper list entry number 13:

config system session-helper delete 13

end

If you want to use the SIP session helper you can verify whether it is available using the show system session-helper command.

If the SIP session helper has been removed from the session-helper list you can use the following command to add it back to the session helper list:

config system session-helper edit 0 set name sip set port 5060 set protocol 17

end

Changing the port numbers that the SIP session helper listens on

You can use the following command to change the port number that the SIP session helper listens on for SIP traffic to 5064. The SIP session helper listens on the same port number for UDP and TCP SIP sessions. In this The SIP session helper        Configuration example: SIP session helper in transparent mode

example, the SIP session helper is session helper 13:

config system session-helper edit 13 set port 5064

end

The config system settings options sip-tcp-port, sip-udp-port, and sip-ssl-port control the ports that the SIP ALG listens on for SIP sessions. See Changing the port numbers that the SIP ALG listens on on page 45.

Your FortiGate may use a different session helper number for SIP. Enter the following command to view the session helpers:

show system session-helper .

. .

edit 13 set name sip set port 5060 set protocol 17

end .

. .

Configuration example: SIP session helper in transparent mode

The figure below shows an example SIP network consisting of a FortiGate operating in transparent mode between two SIP phones. Since the FortiGate is operating in transparent mode both phones are on the same network and the FortiGate and the SIP session helper does not perform NAT. Even though the SIP session helper is not performing NAT you can use this configuration to apply SIP session helper security features to the SIP traffic.

The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. SIP network with FortiGate in transparent mode

transparent mode

Configuration example: SIP session helper in transparent mode

General configuration steps

The following general configuration steps are required for this SIP configuration that uses the SIP session helper. This example includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.

This example assumes that you have entered the following command to enable using the SIP session helper:

config system settings set default-voip-alg-mode kernel-helper-based

end

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A. Add a security policy that accepts SIP sessions initiated by Phone B.

Configuration steps – GUI

To add firewall addresses for the SIP phones

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address to add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface port1
Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 10.31.101.30/255.255.255.255
Interface port2

To add security policies to accept SIP sessions

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New to add a security policy.
  3. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface port1
Outgoing Interface port2
Source Phone_A
Destination Address Phone_B
Schedule always
Service SIP
Action ACCEPT
  1. Select OK.
  2. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface port2
Outgoing Interface port1
Source Address Phone_B
Destination Address Phone_A
Schedule always
Service SIP
Action ACCEPT
  1. Select OK.

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to accept SIP sessions

  1. Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface port1 set type ipmask

set subnet 10.31.101.20 255.255.255.255

next edit Phone_B set associated interface port2 set type ipmask

set subnet 10.31.101.30 255.255.255.255 end

SIP session helper diagnose commands

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP

next edit 0 set srcintf port2 set dstintf port1 set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set utm-status enable end

SIP session helper diagnose commands

You can use the diagnose sys sip commands to display diagnostic information for the SIP session helper.

Use the following command to set the debug level for the SIP session helper. Different debug masks display different levels of detail about SIP session helper activity.

diagnose sys sip debug-mask <debug_mask_int>

Use the following command to display the current list of SIP dialogs being processed by the SIP session help. You can also use the clear option to delete all active SIP dialogs being processed by the SIP session helper.

diagnose sys sip dialog {clear | list}

Use the following command to display the current list of SIP NAT address mapping tables being used by the SIP session helper.

diagnose sys sip mapping list

Use the following command to display the current SIP session helper activity including information about the SIP dialogs, mappings, and other SIP session help counts. This command can be useful to get an overview of what the SIP session helper is currently doing.

diagnose sys sip status

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.