Overview

By default, FortiGate firewalls have the SIP Application Layer Gateway (SIP ALG) enabled. This feature often interferes with SIP VoIP phone registration and call processing, causing various issues.

Common problems observed when SIP ALG is enabled:

1. SIP phones fail to register with the remote phone system.
2. Active calls drop after 5–15 minutes.
3. Incoming calls do not reach the SIP phones.

How to disable SIP ALG on Fortigate fiwalls

Important: Always back up your firewall configuration before making changes.

For FortiOS 6.2.2 and newer

Run the following commands in the FortiGate CLI:

config system settings
set sip-expectation disable 
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

For FortiOS older than 6.2.2

Run these commands:

config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

Note: If you receive an error when entering set default-voip-alg-mode kernel-helper-based, you can safely ignore it.

Additional Configuration (Applies to All FortiOS Versions)

Remove the SIP Session Helper

config system session-helper
show

Scroll through the list and locate the SIP entry (in the example below it is entry 13, but the number may vary depending on your model and software version). Note the entry number, then delete it:

delete 13
end

Disable RTP processing

config voip profile
edit default
config sip
set rtp disable
end
end

Final Steps

Clear existing sessions so the new settings take effect immediately

diagnose sys session clear

• Reboot the firewall (optional but recommended).
• Reboot your SIP desk phones so they can re-register successfully.
• After completing these steps, SIP ALG should be fully disabled, which typically res