Skip to content

How to turn the Session Initiation Protocol (SIP) module on or off

The SIP module is turned on by default and provides the following functions for SIP traffic:

  • Uses UDP port 5060.
  • Translates local IP addresses to public IP addresses, updating the SIP header.
  • Enables a dynamic voice channel by setting up an expected voice connection in the firewall.

Turning the SIP module on or off from the command line interface (CLI)

  1. Sign in to the command line using SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
  2. Choose option 4. Device Console.
  3. Use the following commands.

    • Turn on SIP module: system system_modules sip load
    • Turn off SIP module: system system_modules sip unload

    Note

    The commands are persistent even if the firewall restarts.

  4. See the SIP module status: system system_modules show

    SIP Not Loaded.

Use a custom port

If you're using a custom port for SIP communication and you want to load the same port under the Sophos helper module, run the below command:

system system_modules sip load ports <custom_port>

Note

The firewall supports SIP media ports in the range 1024-65535 with its SIP helper module.

If you load the firewall's SIP helper and set a media port outside this range, the firewall drops the packets, and VoIP calls may not connect. Event logs show the cause as Invalid Traffic.

TCP support

The Sophos Firewall SIP helper doesn't support SIP and SDP messages spanning more than one packet. This can happen when you are using SIP over TCP.

The workaround is to use a SIP UDP control connection because, in UDP, a single SIP message is a single packet.

SIP UDP control connection.

More resources