Configuring SIP SIP support
FortiGate Version 4.0 Administration Guide
432 01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
You need to configure the FortiOS SIP support in the following order:
1 Create a firewall protection profile that enables SIP (see “Enabling SIP support and
setting rate limiting from the web-based manager” on page 432).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the “SIP” or “Any” pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see “Firewall Policy” on page 319.
3 Configure advanced SIP features as required (see “Configuring SIP” on page 432).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP
statistics using the web-based manager. You need to configure most features, however,
through the CLI.
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to:
• enable SIP in an application control list
• select this application control list in a protection profile
• add this protection profile to a firewall policy that accepts SIP traffic.
From the web-based manager, you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.
To enable SIP and set rate limiting from the web-based manager
1 Go to UTM > Application Control.
2 If you want to enable SIP for an existing application control list, select the Edit icon for
an application control list. Otherwise, select Create New to add a new application list.
3 Then, select Create New in the application list to add a new application to the
application control list.
4 Set Application to SIP.
5 Select OK.
6 Make sure the application control list is selected in a protection profile and that the
protection profile is added to a firewall policy.
For more information about application control, see “Application Control” on page 523.
To Next Page
Loading...