Chapter 22 VoIP Solutions: SIP : FortiGate VoIP solutions: SIP : The SIP ALG : SIP ALG configuration overview : VoIP profiles
  
VoIP profiles
You can customize the default VoIP profile or add new VoIP profiles.
To add a new VoIP profile from the web‑based manager go to Security Profiles > VoIP and select Create New (the + button).
For SIP, from the web‑based manager you can configure the VoIP profile to limit the number of SIP REGISTER and INVITE requests. Many additional options for configuring how the ALG processes SIP sessions are available from the CLI.
For SCCP you can limit the call setup time. Additional SCCP options are available from the CLI.
Use the following command to add a VoIP profile named VoIP_Pro_1 from the CLI:
config voip profile
edit VoIP_Pro_1
end
FortiGate units include two pre-defined VoIP profiles. On the web‑based manager these profiles look identical. However, the CLI-only settings result in the following functionality.
default
The most commonly used VoIP profile. This profile enables both SIP and SCCP and places the minimum restrictions on what calls will be allowed to negotiate. This profile allows normal SCCP, SIP and RTP sessions and enables the following security settings:
block-long-lines to block SIP messages with lines that exceed maximum line lengths.
block-unknown to block unrecognized SIP request messages.
open-record-route-pinhole to open pinholes for Record-Route messages.
log-violations to write log messages that record SIP violations.
log-call-summary to write log messages that record SIP call progress (similar to DLP archiving).
contact-fixup perform NAT on the IP addresses and port numbers in SIP headers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers.
ips-rtp to enable IPS in security policies that also accept SIP sessions to protect the SIP traffic from SIP-based attacks.
strict
This profile is available for users who want to validate SIP messages and to only allow SIP sessions that are compliant with RFC 3261. In addition to the settings in the default VoIP profile, the strict profile sets all SIP deep message inspection header checking options to discard. So the strict profile blocks and drops SIP messages that contain malformed SIP or SDP lines that can be detected by the ALG. For more information about SIP deep header inspection, see “Deep SIP message inspection”.
Neither of the default profiles applies SIP rate limiting. To apply more ALG features to SIP sessions you can clone (copy) the pre-defined VoIP profiles and make your own modifications to them. For example, to clone the default profile and configure the limit for SIP NOTIFY request messages to 1000 messages per second per security policy and block SIP INFO request messages.
config voip profile
clone default to my_voip_pro
edit my_voip_pro
config sip
set notify-rate 1000
set block-info enable
end
end