default | The most commonly used VoIP profile. This profile enables both SIP and SCCP and places the minimum restrictions on what calls will be allowed to negotiate. This profile allows normal SCCP, SIP and RTP sessions and enables the following security settings: • block-long-lines to block SIP messages with lines that exceed maximum line lengths. • block-unknown to block unrecognized SIP request messages. • open-record-route-pinhole to open pinholes for Record-Route messages. • log-violations to write log messages that record SIP violations. • log-call-summary to write log messages that record SIP call progress (similar to DLP archiving). • contact-fixup perform NAT on the IP addresses and port numbers in SIP headers in SIP CONTACT messages even if they don’t match the session’s IP address and port numbers. • ips-rtp to enable IPS in security policies that also accept SIP sessions to protect the SIP traffic from SIP-based attacks. |
strict | This profile is available for users who want to validate SIP messages and to only allow SIP sessions that are compliant with RFC 3261. In addition to the settings in the default VoIP profile, the strict profile sets all SIP deep message inspection header checking options to discard. So the strict profile blocks and drops SIP messages that contain malformed SIP or SDP lines that can be detected by the ALG. For more information about SIP deep header inspection, see “Deep SIP message inspection”. |