FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to disable H323 and RAS session helpers.
Solution To successfully process VoIP calls, FortiOS must be able to extract information from the body of the H323 packet and use this information to allow the voice-carrying packets through the firewall. H323 session helper is utilized for this purpose. H323 session helper creates an expected session whenever a H323 traffic arrives and open pinholes for RTP ports and also performs NAT on these ports. On scenarios when the H323 gatekeeper/server does VOIP inspection and NAT on these packets, and if it is not required for FortiGate to inspect H323 sessions then it is necessary to consider removing H323 session helper and RAS session helpers. To disable the H323 session helper which listens on TCP port 1720.
1) Enter the following command to find the h323 session helper entry number:
# show full system session-helper # config system session-helper edit 2 <----- 2 is the default entry number. set name h323 set protocol 6 set port 1720 end
Once getting the entry number, use below command to remove that entry.
# config system session-helper delete 2 end
RAS session helper’s default entry number is 3. By following the same above steps and command, check the RAS session helper entry number and delete it.
