SIP over TLS
Some SIP phones and servers can communicate using TLS to encrypt the SIP signaling traffic. To allow SIP over TLS calls to pass through the FortiGate, the encrypted signaling traffic must be unencrypted and inspected. The FortiGate SIP ALG intercepts, unencrypts , and inspects the SIP packets, which are then re-encrypted and forwarded to their destination.
The SIP ALG only supports full mode TLS. This means that the SIP traffic between SIP phones and the FortiGate, and between the FortiGate and the SIP server, is always encrypted. The highest TLS version supported by SIP ALG is TLS
1.2.
To enable SIP over TLS support, the SSL mode in the VoIP profile must be set to full. The SSL server and client certificates can be provisioned so that the FortiGate can use them to establish connections to SIP phones and servers, respectively.
To configure SIP over TLS:
- Configure a VoIP profile with SSL enabled:
config voip profile edit “tls” config sip set ssl-mode full set ssl-client-certificate “ssl_client_cert” set ssl-server-certificate “ssl_server_cert”
end
next
end
The ssl_server_cert, ssl_client_cert, and key files can be generated using a certification tool, such as OpenSLL, and imported to the local certificate store of the FortiGate from System > Certificates in the GUI. Existing local certificates in the certificate store can also be used. As always for TLS connections, the certificates used must be verified and trusted at the other end of the connection when required.
For example, the CA certificate of the SIP server’s certificate should be imported to the FortiGate as an external CA certification, such that the FortiGate can use it to verify the SIP server’s certificate when setting up the TLS connection. The CA certificate configured as the ssl_server_cert should be installed as the trusted certificate on the SIP phones. The deployment of the certificates across the network depends on the SIP client and server devices that are used in the system.
- Apply the profile to the firewall policy:
config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “all” set dstaddr “vip_sip_server” set action accept set schedule “always” set service “SIP” set utm-status enable set voip-profile “tls”
next end