Tag Archives: Changing the session helper configuration fortigate

Changing the session helper configuration

Changing the session helper configuration

Normally you will not need to change the configuration of the session helpers. However in some cases you may need to change the protocol or port the session helper listens on.

 

Changing the protocol or port that a session helper listens on

Most session helpers are configured to listen for their sessions on the port and protocol that they typically use. If your FortiGate unit receives sessions that should be handled by a session helper on a non-standard port or protocol you can use the following procedure to change the port and protocol used by a session helper. The following example shows how to change the port that the pmap session helper listens on for Sun RPC portmapper TCP sessions. By default pmap listens on TCP port 111.

 

To change the port that the pmap session helper listens on to TCP port 112

1. Confirm that the TCP pmap session helper entry is 11 in the session-helper list:

show system session-helper 11 config system session-helper

edit 11

set name pmap set port 111 set protocol 6

next end

2. Enter the following command to change the TCP port to 112.

config system session-helper edit 11

set port 112 end

3. The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap session helper entry is 12 in the session-helper list:

show system session-helper 12 config system session-helper

edit 12

set name pmap set port 111

set protocol 17 next

end

4. Enter the following command to change the UDP port to 112.

config system session-helper edit 12

set port 112 end

Use the following command to set the h323 session helper to listen for ports on the UDP protocol.

 

To change the protocol that the h323 session helper listens on

1. Confirm that the h323 session helper entry is 2 in the session-helper list:

show system session-helper 2 config system session-helper

edit 2

set name h323 set port 1720 set protocol 6

next end

2. Enter the following command to change the protocol to UDP.

config system session-helper edit 2

set protocol 17 end

 

If a session helper listens on more than one port or protocol, then multiple entries for the session helper must be added to the session helper list, one for each port and protocol combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and 8554 so there are three rtsp entries in the session-helper list. If your FortiGate unit receives rtsp packets on a different TCP port (for example, 6677) you can use the following command to configure the rtsp session helper to listen on TCP port 6677.

 

To configure a session helper to listen on a new port and protocol

config system session-helper edit 0

set name rtsp set port 6677 set protocol 6 end

 

Disabling a session helper

In some cases you may need to disable a session helper. Disabling a session helper just means removing it from the session-helper list so that the session helper is not listening on a port. You can completely disable a session helper by deleting all of its entries from the session helper list. If there are multiple entries for a session helper on the list you can delete one of the entries to prevent the session helper from listening on that port.

 

To disable the mgcp session helper from listening on UDP port 2427

1. Enter the following command to find the mgcp session helper entry that listens on UDP port 2427:

show system session-helper

.

.

. edit 19

set name mgcp set port 2427 set protocol 17

next

.

.

.

 

2. Enter the following command to delete session-helper list entry number 19 to disable the mgcp session helper from listening on UDP port 2427:

config system session-helper delete 19

By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous procedure shows how to disable the mgcp protocol from listening on port 2427. The following procedure completely disables the mgcp session helper by also disabling it from listening on UDP port 2727.

 

To completely disable the mgcp session helper

1. Enter the following command to find the mgcp session helper entry that listens on UDP port 2727:

show system session-helper

.

.

. edit 20

set name mgcp set port 2727 set protocol 17

next

.

.

.

2. Enter the following command to delete session-helper list entry number 20 to disable the mgcp session helper from listening on UDP port 2727:

config system session-helper delete 20