FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 34 - VoIP Solutions: SIP > The SIP session helper > Configuration example: SIP session helper in Transparent Mode

Configuration example: SIP session helper in Transparent Mode

The figure below shows an example SIP network consisting of a FortiGate operating in Transparent mode between two SIP phones. Since the FortiGate is operating in Transparent mode both phones are on the same network and the FortiGate and the SIP session helper does not perform NAT. Even though the SIP session helper is not performing NAT you can use this configuration to apply SIP session helper security features to the SIP traffic.

The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A.

SIP network with FortiGate in Transparent mode

General configuration steps

The following general configuration steps are required for this SIP configuration that uses the SIP session helper. This example includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.

This example assumes that you have entered the following command to enable using the SIP session helper:

config system settings

set default-voip-alg-mode kernel-helper-based

end

 

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A.
  3. Add a security policy that accepts SIP sessions initiated by Phone B.

Configuration steps - GUI

To add firewall addresses for the SIP phones
  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address to add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface port1

 

Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 10.31.101.30/255.255.255.255
Interface port2
To add security policies to accept SIP sessions
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New to add a security policy.
  3. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface port1
Outgoing Interface port2
Source Phone_A
Destination Address Phone_B
Schedule always
Service SIP
Action ACCEPT
  1. Select OK.
  2. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface port2
Outgoing Interface port1
Source Address Phone_B
Destination Address Phone_A
Schedule always
Service SIP
Action ACCEPT
  1. Select OK.

Configuration steps - CLI

To add firewall addresses for Phone A and Phone B and security policies to accept SIP sessions
  1. Enter the following command to add firewall addresses for Phone A and Phone B.

config firewall address

edit Phone_A

set associated interface port1

set type ipmask

set subnet 10.31.101.20 255.255.255.255

next

edit Phone_B

set associated interface port2

set type ipmask

set subnet 10.31.101.30 255.255.255.255

end

 

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy

edit 0

set srcintf port1

set dstintf port2

set srcaddr Phone_A

set dstaddr Phone_B

set action accept

set schedule always

set service SIP

next

edit 0

set srcintf port2

set dstintf port1

set srcaddr Phone_B

set dstaddr Phone_A

set action accept

set schedule always

set service SIP

set utm-status enable

end