Tuesday, March 25, 2008

SIP and H.323

If you run into problems with SIP and H.323 traversing your Fortigate firewalls this may be related to the SIP and H.323 session helpers (i.e. proxies). You can tweak them on the command line only. Here is what a typical configuration looks like:

config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
*** snip ***
edit 12
set name sip
set port 5060
set protocol 17
next
edit 13
set name dns-udp
set port 53
set protocol 17
next
end

To disable the SIP and H.323 session helpers use the following syntax:

config system session-helper
delete 12
delete 3
delete 2
end

Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

*****

Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

config system settings
set sip-helper disable
end

and

config system settings
set sip-nat-trace disable
end
at

13 comments:

  1. UnknownApril 15, 2009 at 6:04 AM

    Hi,

    I tried the suggestion to remove the helper, but then another problem appears. When I try to communicate with remote locations the phones ring but after someone answer there is no sound transferred.

    ReplyDelete
  2. SebastianApril 15, 2009 at 9:41 AM

    I know .. the SIP and H.323 helper applications are so-so, not bad but not great either. My suggestion would be a real Session Border Controller if you have a lot of SIP and H.323 traffic.

    ReplyDelete
  3. AnonymousDecember 30, 2009 at 6:34 AM

    THANK YOU! Been scratching my head on this little forti quirk for 3 months or so, when it became urgent you saved me :-)

    ReplyDelete
  4. Simon BannisterNovember 17, 2010 at 7:18 AM

    Should it matter that I get command parse error before 'sip-nat-trace' Command fail. Return code -61

    when trying to disable sip-nat-trace

    My box is a fortigate 60B on Fortigate-60 3.00,build0400,061002

    This is driving me nuts!!!

    ReplyDelete
  5. SebastianNovember 17, 2010 at 10:53 AM

    Hmmm, if I am not mistaken that's a 4.0 command. Time to upgrade? :)

    ReplyDelete
  6. Simon BannisterNovember 18, 2010 at 2:45 AM

    Yeah it would be but I cannot upgrade the FG-60's to v4 as they wont take it. Anybody know the old commands i need to turn it off?

    ReplyDelete
  7. SebastianNovember 19, 2010 at 10:32 AM

    I am pretty sure they didn't have those commands in 3.x

    ReplyDelete
  8. AnonymousJanuary 5, 2011 at 1:55 AM

    Hi and i wish to you a happy new year !
    Actually, i have a probleme with a fortigate 310B OS : 4.02 MR1.
    My corporate wourld like to install a visioconference (tandberg edge 95 mxp)
    and i create rule for h.323 with/without session helperbut it's doesn't work. I think he use h.245 but i don't know to configure in session helper because they have h.245I and h.245O and the tcp range for h.245 is 5555 to 5574.
    thanks for your help.

    ReplyDelete
  9. AnonymousFebruary 10, 2011 at 5:02 AM

    Do I need to reboot the firewall running OS 4.0 after I delete the SIP session-helper?

    ReplyDelete
  10. SebastianFebruary 10, 2011 at 8:27 AM

    No, you shouldn't have to.

    ReplyDelete
  11. Everyday FinanceMarch 8, 2011 at 7:20 AM

    Dear Sabastian,

    I came across your blog while finding a solution to my problem. We have a client who has fortigate 110C firewall and Call manager is behind the firewall... there are other two interfaces on which users are connected. We have taken over the project and now client want us to migrate to Fortigate 310B. We migrated the firewall however we are getting only one way voice traffic i.e. Caller Party's voice can be heard by called party but vice versa is not happening. There is nothing in sesstion helper related to SIP and OS is 4.0.3. Kindly suggest something.

    ReplyDelete
  12. SebastianMarch 8, 2011 at 4:15 PM

    If you need help with this I would suggest posting to the Fortinet forums at
    http://support.fortinet.com/forum

    ReplyDelete
  13. Ryan ClarkeMarch 16, 2011 at 4:10 PM

    Sebastian,

    I am hoping that you can offer some advice. I have a Fortigate 60b with a 3cx phone system running the 4.0 MR2 Patch 1 on the fortigate. I have tried your suggestions by doing the following cahnges.


    config system session-helper
    edit 1
    set name pptp
    set port 1723
    set protocol 6
    next
    edit 2
    set name h323
    set port 1720
    set protocol 6
    next
    edit 3
    set name ras
    set port 1719
    set protocol 17
    next
    *** snip ***
    edit 12
    set name sip
    set port 5060
    set protocol 17
    next
    edit 13
    set name dns-udp
    set port 53
    set protocol 17
    next
    end

    To disable the SIP and H.323 session helpers use the following syntax:

    config system session-helper
    delete 12
    delete 3
    delete 2
    end

    Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

    *****

    Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

    config system settings
    set sip-helper disable
    end

    and

    config system settings
    set sip-nat-trace disable
    end


    everything works now calling in or calling from the inside out. but if I try to take a phone outside the network and point it to the public IP of the phone system It makes the call but no audio. So I think it is some sort of problem with nat on RTP Ports 9000-9049 that the 3cx phone system requires to be open but I cant seem to pin point the problem and fortinet support seems to be no help I have heard nothing back from them.

    Your advice would be greatly appreciated.

    Thanks,
    Ryan

    raclarke1@gmail.com

    ReplyDelete