The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to.
Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. But the packets that carry the actual conversation can use a variety of UDP protocols with a variety of source and destination port numbers. The information about the protocols and port numbers used for a SIP call is contained in the body of the SIP TCP control packets. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall.
This section includes the topics:
- Viewing the session helper configuration
- Changing the session helper configuration
- DCE-RPC session helper (dcerpc)
- DNS session helpers (dns-tcp and dns-udp)
- File transfer protocol (FTP) session helper (ftp)
- H.245 session helpers (h245I and h245O)
- H.323 and RAS session helpers (h323 and ras)
- Media Gateway Controller Protocol (MGCP) session helper (mgcp)
- ONC-RPC portmapper session helper (pmap)
- PPTP session helper for PPTP traffic (pptp)
- Remote shell session helper (rsh)
- Real-Time Streaming Protocol (RTSP) session helper (rtsp)
- Session Initiation Protocol (SIP) session helper (sip)
- Trivial File Transfer Protocol (TFTP) session helper (tftp)
- Oracle TNS listener session helper (tns)