Overview

On Fortigate firewalls  SIP  Application Layer Gateway (SIP ALG) is enabled by default. This will cause problems with SIP VoIP phones registration and call processing.

We observed following problems when SIP ALG is active on Fortigate firewalls:

1. SIP phones are unable to register on a remote phone system
2. Calls are dropped after 5-15 min
3. Incoming phone calls are not reaching the SIP phone(s)

How to disable SIP ALG on Fortigate fiwalls

Backup configuration of your firewall before making any changes

FortiOS starting at software release 6.2.2 : Run following commands using Fortigate firewall CLI

config system settings
set sip-expectation disable 
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

FortiOS older than software release 6.2.2 : Run following commands using Fortigate firewall CLI

config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

If you see an error while entering “set default-voip-alg-mode kernel-helper-based” , just ignore it.

Rest of configuration is the same for all FortiOS versions

Next we need to locate SIP entry in session helper list and delete it.

config system session-helper
show

Scroll down until you see an entry for SIP. In this example it was number 13, but may be different depending on model and software release. Once you find the SIP entry, note the number of this entry and execute  following commands using the number you’ve observed:

delete 13
end

The last set of commands disables processing of RTP protocol on the firewall

config voip profile
edit default
config sip
set rtp disable
end
end

You can reboot your firewall or run this command below to reset saved session

diagnose sys session clear

You might need to reboot your desk phones so they can re register properly.

---