Configuring Sip; Enabling Sip Support And Setting Rate Limiting From The Web-Based Manager - Fortinet FortiGate Series Administration Manual
Hide thumbs
Also See for FortiGate Series:
- Administration manual (60 pages) ,
- Install manual (51 pages) ,
- Quick start manual (14 pages)
Table of Contents
Advertisement
Configuring SIP
Configuring SIP
Enabling SIP support and setting rate limiting from the web-based manager
510
You need to configure the FortiOS SIP support in the following order:
1 Create a firewall protection profile that enables SIP (see
setting rate limiting from the web-based manager" on page
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the SIP or ANY pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see
3 Configure advanced SIP features as required (see
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP
statistics using the web-based manager. You can do this plus configure many other SIP
support features from the CLI.
To enable SIP support you need to:
•
enable SIP in an application control list
•
select this application control list in a protection profile
•
add this protection profile to a firewall policy that accepts SIP traffic.
From the web-based manager, you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.
Enabling SIP in an application control list actually enables the SIP application level
gateway (SIP ALG) for sessions accepted by a firewall policy that includes the SIP
application.
Tip: The SIP and SCCP application control list entries are used only for enabling the SIP or
SCCP application level gateways (ALGs). They are not like any other application control list
entry. For example, you cannot use the SIP and SCCP application control list entries to
block SIP or SCCP traffic. From the CLI SIP is application number 12 and SCCP is
application number 13.
Tip: The SIP.TCP and SIP.UDP application control list entries are normal application
control list entries and are not involved with the SIP ALG. You can use the SIP.TCP or
SIP.UDP application control list entries to block SIP sessions.
To enable SIP and set rate limiting from the web-based manager
1 Go to UTM > Application Control.
"Enabling SIP support and
510).
"Firewall Policy" on page
"Configuring SIP" on page
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
SIP support
387.
510).
•
Feedback
Advertisement
Table of Contents
