SIP ALG allows the firewall to dynamically open ports for audio traffic as well as the changing of IP address when NAT is used and the inspection of VoIP traffic.
Even though Fortinet recommends the use of SIP ALG, there are times we need to disable it to get voice traffic working.
To disable SIP ALG
- Change to Kernel Based ALG mode, Run the following commands:
- Delete the session helper
- Enter the following commands in FortiGate’s CLI:
config system settings
set default-voip-alg-mode kernel-helper-based
end
Run the following commands:
config system session-helper
show
Amongst the displayed settings will be one similar to the following example:
edit 13
set name sip
set protocol 17
set port 5060
In this example the next commands would be:
delete 13
end
config system settings
set sip-helper disable
set sip-nat-trace disable
end
config voip profile
edit default
config sip
set status disable
end
end
reboot the device