Fortinet FortiGate Series Administration Manual page 513

SIP support
Turning on SIP tracking
Managing RTP pinholing
Blocking SIP requests
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
For more information, see the
The FortiGate SIP Application Level Gateway (SIP ALG) tracks the SIP session over its
life span. A SIP session (or SIP dialog) is normally established after the SIP INVITE
procedure. The ALG then tracks this call as a SIP session. A session can end by regular
BYE procedure, such as callers hanging up the phone, or by an unexpected signalling or
transport error.
You can continue tracking a SIP session for a specified period of time even when RTP
(Real-time Transport Protocol) is lost.
From the CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set call-keepalive <integer>
end
end
Once you create a firewall policy that allows SIP, the FortiGate ALG will automatically
open the respective RTP ports as long as the SIP session is alive.
You can also manually close RTP ports. This may be useful in cases where the FortiGate
unit only acts as a signalling firewall while RTP is bypassed. Therefore, no pinholes need
to be created.
From the CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set rtp disable
end
end
Since SIP requests can be transmitted via UDP, broadcast attacks are possible. To
prevent your site from being used as an intermediary in an attack, you can block various
SIP requests including ACK, INVITE, INFO, PRACK, and so on directed to broadcast
addresses at your router.
For example, you can type the following commands to block INVITE requests:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
FortiGate CLI Reference.
Configuring SIP
513