On Fortigate firewalls SIP Application Layer Gateway (SIP ALG) is enabled by default. This will cause problems with SIP VoIP phones registration and call processing.
We observed following problems when SIP ALG is active on Fortigate firewalls:
- SIP phones are unable to register on a remote phone system
- Calls are dropped after 5-15 min
- Incoming phone calls are not reaching the SIP phone(s)
Disable SIP ALG instructions
Backup configuration of your firewall before making any changes
FortiOS starting at software release 6.2.2 : Run following commands from Fortigate firewall CLI
config system settings set sip-expectation disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end
FortiOS older than software release 6.2.2 : Run following commands from Fortigate firewall CLI
config system settings set sip-helper disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end
If you see an error while entering “set default-voip-alg-mode kernel-helper-based” , just ignore it.
Rest of configuration is the same for all FortiOS versions
Next we need to locate SIP entry in session helper list and delete it
config system session-helper show
Scroll down until you see an entry for SIP, in our example it was number 13 but this may be different depending on model and software release. Now execute following commands:
delete 13 end
The last set of commands disables processing of RTP protocol on the firewall
config voip profile edit default config sip set rtp disable end end
Normally Fortigate firewalls do not require a reboot when you change configuration, but , it seems, in this case we need reboot it to activate session helper changes.
Last step – restart or power cycle all your SIP phones and devices.