Blog of Cody Deluisio

Tips, tricks, and other

Cody Deluisio

Disabling SIP ALG on a Fortigate Firewall

Disabling SIP ALG

This article will guide you through the steps required to disable the SIP ALG (Session Initiation Protocol Application Layer Gateway) setting on a Fortigate Firewall. Disabling SIP ALG can help resolve issues related to VoIP (Voice over IP) communications by ensuring that the SIP traffic is not altered or interfered with by the firewall.

Scope:

The instructions provided are applicable to all Fortigate Firewalls, specifically focusing on FortiOS versions 6.2.2 and later, as well as earlier versions.

Requirements:

  • CLI access to the Fortigate Firewall

Instructions:

Step 1: Access the CLI Interface

  1. Open the CLI (Command Line Interface) on your Fortigate Firewall.
  2. Before proceeding with any changes, ensure that you backup your current configuration.

Step 2: Disable SIP ALG

For devices running FortiOS 6.2.2 and later, enter the following commands in the CLI:

config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

For devices running FortiOS versions earlier than 6.2.2, use the following commands:

config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

Note: If you encounter an error when entering the command set default-voip-alg-mode kernel-helper-based, you can safely ignore it and continue with the rest of the configuration.

Step 3: Remove SIP Session Helper

  1. Run the following commands in the CLI: config system session-helper show
  2. Locate the entry for SIP, which is typically entry 12. This number may vary depending on your software version and model.
  3. Delete the SIP session helper by running: delete 12 Alternatively, replace 12 with the entry number you found in the previous step.
  4. Exit the configuration mode: end

Step 4: Disable RTP Processing

To further ensure that SIP traffic is handled correctly, disable RTP (Real-time Transport Protocol) processing with the following commands:

config voip profile
edit default
config sip
set rtp disable
end
end

Step 5: Reboot the Firewall and SIP Devices

Although Fortigate Firewalls do not typically require a reboot after making configuration changes, a reboot is necessary in this case to activate the session helper changes.

  1. Reboot the Fortigate Firewall.
  2. Reboot all your SIP devices/phones to ensure they apply the new settings.

Categories:

Tags:

,

About The Author:

Cody Deluisio is a dedicated network engineer specializing in hotel PBX systems and network solutions, with expertise in UniFi, Aruba, Ruckus, and a variety of other technologies. Outside of his tech career, Cody runs an organic farm in Bell Township, PA, where he focuses on sustainable and regenerative farming practices. Balancing the fast-paced world of networking with the tranquility of farm life, Cody brings a unique perspective to both his professional and personal endeavors.