Configuring SIP SIP support
FortiGate Version 4.0 MR1 Administration Guide
512 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Setting SIP rate limiting from the CLI
Use the following command to enable SIP support in an application list and configure SIP
rate limiting:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set register-rate 100
set invite-rate 30
end
end
More about rate limiting
FortiGate units support rate limiting for the following types of VoIP traffic:
• Session Initiation Protocol (SIP)
• Skinny Call Control Protocol (SCCP)
• Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions
(SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your
network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects
against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests
that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS
attacks by limiting the number of SCCP call setup messages that the FortiGate unit
receives per minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per
second (or minute) than the configured rate, the extra messages are dropped.
If you are experiencing denial of service attacks from traffic using these VoIP protocols,
you can enable VoIP rate limiting and limit the rates for your network. Limit the rates
depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be
handling. You can adjust the settings if some calls are lost or if the amount of SIP or
SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For
more information, see the description of the config sip, config sccp, and config
simple subcommands of the application command in the FortiGate CLI Reference.
You can also block SIMPLE sessions by enabling block login for the SIMPLE application.
For more information, see “Application Control” on page 603.
Enabling SIP logging
You can log SIP events in a protection profile.
Go to Firewall > Protection Profile. Open an existing profile or select Create New to create
a new profile. Expand Logging. Select Log VoIP Activity to log VoIP events.
For more information about enabling and configuring logging, see “Log&Report” on
page 709.
Enabling advanced SIP features in an application list
You can configure advanced SIP features for an application list.
To Next Page
Loading...
Need help?
General