voip : profile : config sip
 
config sip
Configure VoIP profile settings for SIP and SIMPLE.
Variable
Description
Default
status {enable | disable}
Enable or disable SIP for this VoIP profile.
enable
rtp {enable | disable}
Enable or disable opening pinholes for RTP traffic to traverse FortiGate unit.
enable
open-register-pinhole {enable | disable}
Enable or disable opening a pinhole for the port number specified in SIP REGISTER message Contact header line.
enable
open-contact-pinhole {enable | disable}
Enable or disable opening a pinhole for the port number specified in a Contact header line in any SIP message except a SIP REGISTER message.
enable
open-record-route-pinhole {enable | disable}
Open firewall pinhole for Record-Route port.
enable
open-via-pinhole {enable | disable}
Open firewall pinhole for Via port.
disable
strict-register {enable | disable}
Controls how pinholes are opened to allow traffic from a SIP server to pass through the FortiGate unit. If enabled the SIP ALG opens a pinhole that only accepts sessions from a single IP address (the address of the SIP server).
This option should be disabled if the SIP proxy server and SIP registrar are different entities with different IP addresses.
disable
register-rate <rate_sec_policy_int>
Set a rate limit (per second, per policy) for SIP REGISTER requests. Set to 0 to disable rate limiting.
0
invite-rate <rate_sec_policy_int>
Set a rate limit (per second, per policy) for SIP INVITE requests. Set to 0 to disable rate limiting.
0
max-dialogs <max_int>
Maximum number of concurrent calls (or dialogs) per policy. Set to 0 to not limit dialogs.
0
max-line-length <length_int>
Maximum SIP header line length. The range is 78-4096 characters. If a SIP message contains a line that exceeds the maximum line length a log message is recorded. If block-long-lines is enabled the message is blocked and the FortiGate unit returns a SIP 413 Request entity too large SIP response message.
998
block-long-lines {enable | disable}
Enable or disable blocking SIP request messages with a header or body line that exceeds the max-line-length.
enable
block-unknown {enable | disable}
Block unrecognized SIP request messages.
enable
call-keepalive <keepalive_time>
Continue tracking calls with no RTP sessions for this many minutes. Terminate the call if the time limit is exceeded. Range is 1 and 10,080 seconds. Set to 0 to disable. Call keep alive should be used with caution because enabling this feature results in extra FortiGate CPU overhead and can cause delay/jitter for the VoIP call. Also, the FortiGate unit terminates the call without sending SIP messages to end the call. And if the SIP endpoints send SIP messages to terminate the call they will be blocked by the FortiGate unit if they are sent after the FortiGate unit terminates the call.
0
block-ack {enable | disable}
Enable or disable blocking SIP ACK request messages.
disable
block-bye {enable | disable}
Enable or disable blocking SIP BYE request messages.
disable
block-cancel {enable | disable}
Enable or disable blocking SIP CANCEL request messages.
disable
block-info {enable | disable}
Enable or disable blocking SIP INFO request messages.
disable
block-invite {enable | disable}
Enable or disable blocking SIP INVITE request messages.
disable
block-message {enable | disable}
Enable or disable blocking SIP MESSAGE request messages.
disable
block-notify {enable | disable}
Enable or disable blocking SIP NOTIFY request messages.
disable
block-options {enable | disable}
Enable or disable blocking SIP OPTIONS request messages.
disable
block-prack {enable | disable}
Enable or disable blocking SIP PRACK request messages.
disable
block-publish {enable | disable}
Enable or disable blocking SIP PUBLISH request messages.
disable
block-refer {enable | disable}
Enable or disable blocking SIP REFER request messages.
disable
block-register {enable | disable}
Enable or disable blocking SIP REGISTER request messages.
disable
block-subscribe {enable | disable}
Enable or disable blocking SIP SUBSCRIBE request messages.
disable
block-update {enable | disable}
Enable or disable blocking SIP UPDATE request messages.
disable
reg-diff-port {enable | disable}
Enable or disable opening a pinhole for the port number included in the Via SIP message header line.
disable
rfc2543-branch {enable | disable}
Enable to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC 3261 obsoletes RFC 2543. This option also allows FortiGate units to support SIP calls that include Via headers that are missing the branch parameter.
disable
log-violations {enable | disable}
Enable or disable writing a logging message when a SIP option in a VoIP profile detects a violation in a SIP message.
disable
log-call-summary {enable | disable}
Enable or disable summary content archiving of SIP calls.
enable
nat-trace {enable | disable}
Enable or disable preserving the original source IP address of the SIP message in the i= line of the SDP profile. This option enables NAT with IP address conservation (also called SIP NAT tracing), which changes the contents of SIP messages by adding the source IP address of the originator of the message into the SDP i= line of the SIP message. The SDP i= line is used for free-form text. However, if your SIP server can retrieve information from the SDP i= line, it can be useful for keeping a record of the source IP address of the originator of a SIP message when operating in a NAT environment. You can use this feature for billing purposes by extracting the IP address of the originator of the message.
enable
subscribe-rate <rate_sec_policy_int>
Limit the number of SIP SUBSCRIBE messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
message-rate <rate_sec_policy_int>
Limit the number of SIP MESSAGE messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
notify-rate <rate_sec_policy_int>
Limit the number of SIP NOTIFY messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
refer-rate <rate_sec_policy_int>
Limit the number of SIP REFER messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
update-rate <rate_sec_policy_int>
Limit the number of SIP UPDATE messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
options-rate <rate_sec_policy_int>
Limit the number of SIP OPTIONS messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
ack-rate <rate_sec_policy_int>
Limit the number of SIP ACK messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
prack-rate <rate_sec_policy_int>
Limit the number of SIP PRACK messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
info-rate <rate_sec_policy_int>
Limit the number of SIP INFO messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
publish-rate <rate_sec_policy_int>
Limit the number of SIP PUBLISH messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
bye-rate <rate_sec_policy_int>
Limit the number of SIP BYE messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
cancel-rate <rate_sec_policy_int>
Limit the number of SIP CANCEL messages per second per policy that the FortiGate unit accepts. Set to 0 to disable rate limiting.
0
preserve-override {enable | disable}
Enable or disable adding the original o= line of a SIP message to the end of the i= line or replace the i= line in the original message with a new i= line. This command is used for SIP IP address conservation.
disable
no-sdp-fixup {enable | disable}
Enable or disable not performing NAT on addresses in the SDP lines of the SIP message body. This option is disabled by default and the FortiGate unit performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate unit to perform NAT on the addresses in SDP lines.
disable
contact-fixup {enable | disable}
Enable or disable performing NAT on the IP addresses and port numbers in the headers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers.
enable
max-idle-dialogs <dialogs_perpolicy_int>
Specify the maximum number of established but idle dialogs to retain (per policy). Set to 0 to disable.
Idle dialogs would usually be dialogs that have been interrupted because of errors or problems or as the result of a SIP attack that opens a large number of SIP dialogs without closing them. This command provides a way to remove these dialogs from the dialog table and recover memory and resources being used by these open and idle dialogs.
0
block-geo-red-options {enable | disable}
Block OPTIONS requests, but OPTIONS requests still notify for redundancy.
disable
hosted-nat-traversal {enable | disable}
Enable or disable support for hosted NAT Traversal (HNT). HNT has different requirements for address translation.
disable
hnt-restrict-source-ip {enable | disable}
Restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
disable
max-body-length <size_bytes_int>
Specify the maximum size of a SIP message body in bytes that will be processed by the SIP ALG. Larger messages are discarded. Set to 0 for no limit. This option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP messages are of variable size and the message size can change with the addition of Via and Record-Route headers.
0
unknown-header {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message with an unknown header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-request-line {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed request-line (the first line in a SIP request message). Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-via {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Via header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-from {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed From header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-to {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed To header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-call-id {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Call ID header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-cseq {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed CSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-rack {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Rack header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-rseq {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed RSeq header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-contact {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Contact header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-record-route {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Record-Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-route {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Route header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-expires {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Expires header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-content-type {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content-Type header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-content-length {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Content-Length header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-max-forwards {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Max-forwards header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-allow {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed Allow header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-p-asserted-identity {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed P-Asserted-Identity header line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-v {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed v= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-o {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed o= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-s {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed s= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-i {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed i= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-c {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed c= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-b {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed b= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-z {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed z= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-k {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed k= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-a {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed a= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-t {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed t= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-r {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed r= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
malformed-header-sdp-m {discard | pass | respond}
Configure deep SIP message inspection to discard, pass without changing, or discard and send a SIP response message for a SIP message a with a malformed m= body line. Even if set to pass the SIP ALG writes a log message if an unknown header is found and log-violations is enabled.
pass
ips-rtp {enable | disable}
Enable to have RTP traffic inherit the IPS setting from the SIP firewall policy. Disable if IPS slows down RTP traffic, which might occur if there is a high volume of RTP traffic. Also if the traffic is using NP accelerated interfaces, enabling IPS means that the RTP traffic cannot be accelerated by NP interface acceleration.
enable
provisional-invite-expiry-time <time_int>
The expiry time in seconds to wait for provisional INVITE requests. The range is 10-3600 seconds.
210
ssl-mode {off | full}
Select SSL mode:
full — client-to-FortiGate and FortiGate-to-client
off — no SSL
off
ssl-algorithm {high | medium | low)
Select SSL algorithm strength:
high — AES or 3DES
medium — AES, 3DES, RC4, or DES
low — AES, 3DES, or RC4
high
ssl-auth-client <peer_group>
Require a client certificate and authenticate it with the peer or peergrp.
null
ssl-auth-server <peer_group>
Authenticate the server certificate with the peer or peergrp.
null
ssl-client-certificate <cert_name>
Select the certificate to use for client authentication.
null
ssl-client-renegotiation {allow | deny | secure}
Select the client renegotiation policy:
allow — allow SSL client to renegotiate
deny — reject any attempt to renegotiate
secure — reject any renegotiation attempt that does not offer a RFC 5746 Secure Regotiation Indication
allow
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
Select the minimum SSL/TLS version to accept.
ssl-3.0
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
Select the maximum SSL/TLS version to accept.
tls-1.1
ssl-pfs {require | allow | deny}
Set policy for Perfect Forward Secrecy (PFS).
allow
ssl-send-empty-frags {enable | disable}
Enable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
enable
ssl-server-certificate <cert_name>
Select the certificate to use for server authentication.
null