Technical Note : Understanding the pre-defined VoIP Profiles in FortiOS 4.0 MR2

Description

This article explains the characteristics of the two pre-defined VoIP profiles available in FortiOS 4.0 MR2.

Scope

All FortiOS users using FortiOS 4.0 MR2 and above.

Solution

In FortiOS 4.0 MR2 the new VoIP profile contains two pre-defined profiles for VoIP. These can be found in UTM>VoIP.

These profiles appear similar on the FortiGate when looked at via the GUI, however, the CLI settings give the full functionality of the profiles with the "default" and "strict" settings.


Default

This is the most commonly used VoIP profile. This profile enables both SIP and SCCP and places the minimum restrictions on what calls will be allowed to negotiate. This profile allows normal SCCP, SIP and RTP sessions and applies the following security settings:

• block-long-lines to block SIP messages with lines that exceed maximum line lengths.
• block-unknown to block unrecognized SIP request messages.
• log-call-summary to write log messages that record SIP call progress (similar to DLP archiving).
• nat-trace (see “NAT with IP address conservation” feature).
• contact-fixup to fix errors in the SIP contact header line that can cause problems for SIP NAT.

Strict:

This profile is available for users who want to validate SIP messages and to only allow SIP sessions that are compliant with RFC 3261.

In addition to the settings in the default VoIP profile, the strict profile sets all SIP deep message inspection header checking to block and drop SIP messages that contain malformed SIP or SDP lines that can be detected by the Application Layer Gateway.