Tuesday, March 25, 2008

SIP and H.323

If you run into problems with SIP and H.323 traversing your Fortigate firewalls this may be related to the SIP and H.323 session helpers (i.e. proxies). You can tweak them on the command line only. Here is what a typical configuration looks like:

config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
*** snip ***
edit 12
set name sip
set port 5060
set protocol 17
next
edit 13
set name dns-udp
set port 53
set protocol 17
next
end

To disable the SIP and H.323 session helpers use the following syntax:

config system session-helper
delete 12
delete 3
delete 2
end

Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

*****

Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

config system settings
set sip-helper disable
end

and

config system settings
set sip-nat-trace disable
end

13 comments:

Unknown said...

Hi,

I tried the suggestion to remove the helper, but then another problem appears. When I try to communicate with remote locations the phones ring but after someone answer there is no sound transferred.

Sebastian said...

I know .. the SIP and H.323 helper applications are so-so, not bad but not great either. My suggestion would be a real Session Border Controller if you have a lot of SIP and H.323 traffic.

Anonymous said...

THANK YOU! Been scratching my head on this little forti quirk for 3 months or so, when it became urgent you saved me :-)

Simon Bannister said...

Should it matter that I get command parse error before 'sip-nat-trace' Command fail. Return code -61

when trying to disable sip-nat-trace

My box is a fortigate 60B on Fortigate-60 3.00,build0400,061002

This is driving me nuts!!!

Sebastian said...

Hmmm, if I am not mistaken that's a 4.0 command. Time to upgrade? :)

Simon Bannister said...

Yeah it would be but I cannot upgrade the FG-60's to v4 as they wont take it. Anybody know the old commands i need to turn it off?

Sebastian said...

I am pretty sure they didn't have those commands in 3.x

Anonymous said...

Hi and i wish to you a happy new year !
Actually, i have a probleme with a fortigate 310B OS : 4.02 MR1.
My corporate wourld like to install a visioconference (tandberg edge 95 mxp)
and i create rule for h.323 with/without session helperbut it's doesn't work. I think he use h.245 but i don't know to configure in session helper because they have h.245I and h.245O and the tcp range for h.245 is 5555 to 5574.
thanks for your help.

Anonymous said...

Do I need to reboot the firewall running OS 4.0 after I delete the SIP session-helper?

Sebastian said...

No, you shouldn't have to.

Everyday Finance said...

Dear Sabastian,

I came across your blog while finding a solution to my problem. We have a client who has fortigate 110C firewall and Call manager is behind the firewall... there are other two interfaces on which users are connected. We have taken over the project and now client want us to migrate to Fortigate 310B. We migrated the firewall however we are getting only one way voice traffic i.e. Caller Party's voice can be heard by called party but vice versa is not happening. There is nothing in sesstion helper related to SIP and OS is 4.0.3. Kindly suggest something.

Sebastian said...

If you need help with this I would suggest posting to the Fortinet forums at
http://support.fortinet.com/forum

Ryan Clarke said...

Sebastian,

I am hoping that you can offer some advice. I have a Fortigate 60b with a 3cx phone system running the 4.0 MR2 Patch 1 on the fortigate. I have tried your suggestions by doing the following cahnges.


config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
*** snip ***
edit 12
set name sip
set port 5060
set protocol 17
next
edit 13
set name dns-udp
set port 53
set protocol 17
next
end

To disable the SIP and H.323 session helpers use the following syntax:

config system session-helper
delete 12
delete 3
delete 2
end

Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

*****

Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

config system settings
set sip-helper disable
end

and

config system settings
set sip-nat-trace disable
end


everything works now calling in or calling from the inside out. but if I try to take a phone outside the network and point it to the public IP of the phone system It makes the call but no audio. So I think it is some sort of problem with nat on RTP Ports 9000-9049 that the 3cx phone system requires to be open but I cant seem to pin point the problem and fortinet support seems to be no help I have heard nothing back from them.

Your advice would be greatly appreciated.

Thanks,
Ryan

raclarke1@gmail.com