VoIP solutions: SIP

This FortiOS Handbook chapter contains detailed information about how FortiGates processes SIP VoIP calls and how to configure the FortiGate to apply security features to SIP calls. This document describes all FortiGate SIP configuration options and contains detailed configuration examples.

note icon This document uses numeric IP addresses for all SIP end points. SIP addresses can also use domain names instead of addresses. For the example, the following SIP addresses could refer to the same SIP end point:


Before you begin

Before you begin to configure VoIP security profiles, including SIP, from the GUI you should go to System > Feature Visibility and turn on VoIP (under Additional Features).

Also, VoIP settings are only available if the FortiGate or current VDOM Inspection Mode is set to Proxy. To view the inspection mode go to System > Settings to confirm that Inspection Mode is set to Proxy. You can also use the following CLI command to change the inspection mode to proxy:

config system settings

set inspection-mode proxy


The System Information dashboard widget also shows the current Mode.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Inside FortiOS: VoIP Protection introduces FortiOS VoIP Protection

FortiGate VoIP solutions–SIP introduces FortiGate SIP support.

Common SIP VoIP configurations describes some common SIP configurations.

SIP messages and media protocols describes SIP messages and some common SIP media protocols.

The SIP session helper describes how the SIP session helper works and how to configure SIP support using the SIP session helper.

The SIP ALG describes how the SIP Application Layer Gateway (ALG) works and how to configure SIP support using the SIP ALG.

Conflicts between the SIP ALG and the session helper describes how to sort out conflicts between the SIP session helper and the ALG.

Stateful SIP tracking, call termination, and session inactivity timeout describes how the SIP ALG performs SIP stateful tracking, call termination and session actitivity timeouts.

SIP and RTP/RTCP describes how SIP relates to RTP and RTCP.

How the SIP ALG creates RTP pinholes describes how the SIP ALG creates pinholes.

Configuration example: SIP in Transparent Mode describes how to configure a FortiGate in Transparent mode to support SIP.

RTP enable/disable (RTP bypass) describes RTP bypass.

Opening and closing SIP register, contact, via and record-route pinholes describes how FortiOS opens and closes these pinholes.

Accepting SIP register responses describes how to enable accepting SIP register responses.

How the SIP ALG performs NAT describes how the SIP ALG performs NAT.

Enhancing SIP pinhole security describes how to open smaller pinholes.

Hosted NAT traversal describes SIP hosted NAT traversal and how to configure it.

SIP over IPv6 describes how to configure SIP over IPv6.

Deep SIP message inspection describes how deep SIP message inspection works.

Blocking SIP request messages describes how to block SIP request messages to prevent some common SIP attacks.

SIP rate limiting includes more options for preventing SIP attacks.

SIP logging describes how to enable SIP logging.

Inspecting SIP over SSL/TLS (secure SIP) describes how to inspection encrypted SIP traffic.

SIP and HA–session failover and geographic redundancy describes how to use FGCP HA to support SIP geographic redundancy.

SIP and IPS describes how to turn on IPS for SIP sessions.

SIP debugging describes some tools for debugging your SIP configuration.

FortiOS 5.6 VoIP new features

FortiOS 5.6 includes the following new VoIP and SIP features:

SIP strict-register enabled by default in VoIP Profiles (380830)

If strict-register is disabled, when REGISTER is received by a FortiGate, the source address (usually the IP address of PBX) and ports (usually port 5060) are translated by NAT to the external address of the FortiGate and port 65476. Pinholes are then opened for SIP and RTP. This tells the SIP provider to send incoming SIP traffic to the external address of the FortiGate on port 65476.

This creates a security hole since the port is open regardless of the source IP address so an attacker who scans all the ports by sending REGISTER messages to the external IP of the FortiGate will eventually have one register go through.

When strict-register is enabled (the new default) the pinhole is smaller because it will only accept packets from the SIP server.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom


(global) # diagnose sys sip-proxy vdom

VDOM list by id:

vdom 0 root (Kernel: root)

vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom)

vdom 2 test2 (Kernel: test2)

vdom 3 test3 (Kernel: test3)

vdom 4 vdoma2 (Kernel: vdoma2)

vdom 5 vdomb2 (Kernel: vdomb2)

vdom 6 vdomc2 (Kernel: vdomc2)

vdom 7 vdoma (Kernel: vdoma)

vdom 8 vdomb (Kernel: vdomb)

vdom 9 vdomc (Kernel: vdomc)

VDOM list by name:

vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom)

vdom 0 root (Kernel: root)

vdom 2 test2 (Kernel: test2)

vdom 3 test3 (Kernel: test3)

vdom 7 vdoma (Kernel: vdoma)

vdom 4 vdoma2 (Kernel: vdoma2)

vdom 8 vdomb (Kernel: vdomb)

vdom 5 vdomb2 (Kernel: vdomb2)

vdom 9 vdomc (Kernel: vdomc)

vdom 6 vdomc2 (Kernel: vdomc2)