Additional SIP NAT scenarios
Additional SIP NAT scenarios This section lists some additional SIP NAT scenarios. Source NAT (SIP and RTP) In the source NAT scenario shown below, a SIP phone connects to the Internet through a...
View ArticleNAT with IP address conservation
NAT with IP address conservation In a source or destination NAT security policy that accepts SIP sessions, you can configure the SIP ALG or the SIP session helper to preserve the original source IP...
View ArticleControlling how the SIP ALG NATs SIP contact header line addresses
Controlling how the SIP ALG NATs SIP contact header line addresses You can enable contact-fixup so that the SIP ALG performs normal SIP NAT translation to SIP contact headers as SIP messages pass...
View ArticleControlling NAT for addresses in SDP lines
Controlling NAT for addresses in SDP lines You can use the no-sdp-fixup option to control whether the FortiGate unit performs NAT on addresses in SDP lines in the SIP message body. The no-sdp-fixup...
View ArticleTranslating SIP session destination ports
Translating SIP session destination ports Using port forwarding virtual IPs you can change the destination port of SIP sessions as they pass through the FortiGate unit. Translating SIP sessions to a...
View ArticleTranslating SIP sessions to multiple destination ports
Translating SIP sessions to multiple destination ports You can use a load balance virtual IP to translate SIP session destination ports to a range of destination ports. In this example the destination...
View ArticleAdding the original IP address and port to the SIP message header after NAT
Adding the original IP address and port to the SIP message header after NAT In some cases your SIP configuration may require that the original IP address and port from the SIP contact request is kept...
View ArticleEnhancing SIP pinhole security
Enhancing SIP pinhole security You can use the strict-register option in a SIP VoIP profile to open smaller pinholes. As shown below, when FortiGate unit is protecting a SIP server on a private...
View ArticleFortiGate Upgrade Paths
If you are looking to upgrade your FortiGate to the latest version of code you need to stop and read the links listed below. There is a supported upgrade path for each version of FortiOS (4, 5, 5.2,...
View ArticleHosted NAT traversal
Hosted NAT traversal With the increase in the use of VoIP and other media traffic over the Internet, service provider network administrators must defend their networks from threats while allowing voice...
View ArticleSIP over IPv6
SIP over IPv6 FortiGate units operating in NAT/Route and in Transparent mode support SIP over IPv6. The SIP ALG can process SIP messages that use IPv6 addresses in the headers, bodies, and in the...
View ArticleFortiOS 5.6 Beta 2 NGFW Policy
NGFW Policy mode is going to make a bunch of engineers smile ear to ear. There are a lot of cool features coming in 5.6 that includes a much improved security fabric (with audit capabilities) as well...
View ArticleDeep SIP message inspection
Deep SIP message inspection Deep SIP message syntax inspection (also called Deep SIP header inspection or SIP fuzzing protection) provides protection against malicious SIP messages by applying SIP...
View ArticleBlocking SIP request messages
Blocking SIP request messages You may want to block different types of SIP requests: to prevent SIP attacks using these messages. If your SIP server cannot process some SIP messages because of a...
View ArticleSIP rate limiting
SIP rate limiting Configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks. SIP rate limiting INVITE REGISTER SUBSCRIBE SIP message rate...
View ArticleSIP logging
SIP logging You can enable SIP logging and logging of SIP violationsin a VoIP profile. config voip profile edit VoIP_Pro_Name config sip set log-call-summary enable set log-violations enable end end To...
View ArticleInspecting SIP over SSL/TLS (secure SIP)
Inspecting SIP over SSL/TLS (secure SIP) Some SIP phones and SIP servers can communicate using SSL or TLS to encrypt the SIP signalling traffic. To allow SIP over SSL/TLS calls to pass through the...
View ArticleSIP and HA–session failover and geographic redundancy
SIP and HA–session failover and geographic redundancy FortiGate high availability supports SIP session failover (also called stateful failover) for active-passive HA. To support SIP session failover,...
View ArticleSIP and IPS
SIP and IPS You can enable IPS in security policies that also accept SIP sessions to protect the SIP traffic from SIP-based attacks. If you enable IPS in this way then by default the pinholes that the...
View ArticleSIP debugging
SIP debugging SIP debug log format Assuming that diagnose debug console timestamp is enabled then the following shows the debug that is generated for an INVITE if diag debug appl sip -1 is enabled:...
View Article