system : session-helper
 
session-helper
FortiGate units use session helpers to process sessions that have special requirements. Session helpers function like proxies by getting information from the session and performing support functions required by the session. For example:
The SIP session helper looks inside SIP messages and performs NAT (if required) on the IP addresses in the SIP message and opens pinholes to allow media traffic associated with the SIP session to pass through the FortiGate unit.
The FTP session helper can keep track of multiple connections initiated from a single FTP session. The session helper can also permits an FTP server to actively open a connection back to a client program.
The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.
The session helper configuration binds a session helper to a TCP or UDP port and protocol. When a session is accepted by a firewall policy on that port and protocol the FortiGate unit passes the session to the session helper configured with this command. The session is processed by the session helper.
If your FortiGate unit accepts sessions that require a session helper on different ports than those defined by the session-helper configuration, then you can add more entire to the session helper configuration. Its OK to have multiple session helper configurations for a given protocol because only the matching configuration is used.
Use the show system session-helper command to view the current session helper configuration.
FortiGate units include the session helpers listed in Table 25:
Table 25: FortiGate session helpers
Session helper name
Description
dcerpc
Distributed computing environment / remote procedure calls protocol (DCE/RPC).
dns-tcp
Domain name service (DNS) using the TCP protocol.
dns-udp
Domain name service (DNS) using the UDP protocol.
ftp
File transfer protocol (FTP).
h245I
H.245 I call-in protocol.
h245O
H.256 O call-out protocol.
h323
H.323 protocol.
mgcp
Media gateway control protocol (MGCP).
mms
Multimedia message service (MMS) protocol
pmap
Port mapper (PMAP) protocol.
pptp
Point to point tunneling protocol (PPTP).
ras
Remote access service (RAS) protocol.
rsh
Remote shell protocol (RSH).
sip
Session initiation protocol (SIP).
tftp
Trivial file transfer protocol (TFTP).
tns
Oracle transparent network substrate protocol (TNS or SQLNET).
Syntax
config system session-helper
edit <helper-number>
set name {dcerpc | dns-tcp | dns‑udp | ftp | h245I | H2450 | h323 | mgcp | mms | pmap | pptp | ras | rsh | sip | tftp | tns}
set port <port_number>
set protocol <protocol_number>
end
 
Variable
Description
Default
<helper-number>
Enter the number of the session-helper that you want to edit, or enter an unused number or 0 to create a new session-helper.
No default.
name {dcerpc | dns-tcp | dns‑udp | ftp | h245I | H2450 | h323 | mgcp | mms | pmap | pptp | ras | rsh | sip | tftp | tns}
The name of the session helper to configure.
No default.
port <port_number>
Enter the port number to use for this protocol.
No default.
protocol <protocol_number>
The protocol number for this service, as defined in RFC 1700.
No default.