Disable SIP ALG

SIP ALG allows the firewall to dynamically open ports for audio traffic as well as the changing of IP address when NAT is used and the inspection of VoIP traffic.

Even though Fortinet recommends the use of SIP ALG, there are times we need to disable it to get voice traffic working.

To disable SIP ALG

  1. Change to Kernel Based ALG mode, Run the following commands:
  2. config system settings
    set default-voip-alg-mode kernel-helper-based

  3. Delete the session helper
  4. Run the following commands:
    config system session-helper

    Amongst the displayed settings will be one similar to the following example:

    edit 13
    set name sip
    set protocol 17
    set port 5060

    In this example the next commands would be:

    delete 13

  5. Enter the following commands in FortiGate’s CLI:
  6. config system settings
    set sip-helper disable
    set sip-nat-trace disable

    config voip profile
    edit default
    config sip
    set status disable

    reboot the device

Leave a Reply