Technical Note: Deep inspection on SIP TLS using FortiGate when SIP proxy is FortiVoice

cbenejean · ‎11-10-2015

Description

The aim of this article is to show an example of deep inspection with SIP ALG when transport protocol is SIP TLS.

Solution

SIP ALG on FortiGate is able to make a deep-inspection of SIP TLS. The FortiGate will act as Man in the middle and will decrypt, inspect and re-encrypt the SIP traffic. Firstly, the SIP proxy certificate must be uploaded into the FortiGate certificate database. In this example the FortiVoice is being used as the SIP proxy. The following screenshot shows how to download the certificate from the FortiVoice:

Download the FortiVoice certificate named FortiVoiceSipServer as a PKCS12 file. Keep it in secure place; this is contains the certificate and the private key. Then, upload it to the FortiGate as a remote certificate:

Secondly, the VOIP profile needs to be set to use deep-inspection with the FortiVoice certificate. This has to be done in CLI, first enable the TLS in the VOIP profile with the parameter “set ssl-mode full” and then use the uploaded SIP proxy certificate:

config voip profile
    edit "default"
        set comment "Default VoIP profile."
            config sip
                set ssl-mode full
                set ssl-server-certificate "FortiVoiceSIPServer"
            end
    next
end

In the firewall policy, the SIP-TLS (TCP port 5061 by default) traffic should be allowed through; either by editing the “SIP” firewall object or by creating a new one; and applying it to the firewall policy with the VOIP profile doing the SSL inspection.

In the FortiVoice, your extension should be configured to do SIP TLS as transport.

In most SIP phones, the CA of the SIP proxy certificate will need to be uploaded so that the SIP phone is able to verify the certificate chain.