How to disable SIP ALG in Fortinet routers : _

In FortiOS 5.2, the FortiOS default is for all SIP traffic to be handled by the FortiOS proxy/ALG. See related article "SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2"

note: In FortiOS 5.0, if no VoIP profile was applied, the SIP session helper would be applied.

Preparation:

In preparation for removing SIP proxy & session helper functionality, two additional steps are required.

1) Modify SIP server (if NAT is used)

If the SIP traffic is NAT'd when passing through the FortiGate, the SIP server must be configured to use its public IP address in the application header. All other VoIP equipment must also refer to the SIP server by its public IP.

2) Open up firewall policies on the FortiGate Firewall policies must now explicitly allow all UDP ports to be opened for the audio traffic (and not only the SIP or SCCP control ports).

Step #1 – Removing the session helper.

A. Run the following commands:

config system session-helper show

Amongst the displayed setting will be one similar to the following example:

edit 13 set name sip set protocol 17 set port 5060 B. in this example the next commands would be:

delete 13 end

Step #2 - change the default –voip –alg-mode. (VERY IMPORTANT!!!)

Run the following commands:

config system settings set default-voip-alg-mode kernel-helper based end

Step #3 – Either reboot or clear sessions to make sure changes take effect

a) To clear sessions run the command:

Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.

diagnose system session filter ...

See: "Troubleshooting Tip : FortiGate Firewall session list information"

The command to clear sessions applies to ALL session unless a filter is applied, and therefore will interrupt traffic.

diagnose system session clear

b) Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:

execute reboot

*********************************************************************************************

Additonal Information

FortiOS has two features that can modify the SIP headers and SDP parameters. The first feature is called the “SIP Session Helper”. If you are experiencing one way audio issues disable this feature first, reboot your IP phone then try making another call. If disabling the session helper does not work, disable the SIP ALG as well.

To disable the sip session helper:

1 Enter the following command to find the sip session helper entry in the session-helper list:

show system session-helper

edit 10 set name sip set port 5060 set protocol 17

2 Enter the following command to delete session-helper list entry number 10 to disable the sip session helper:

config system session-helper delete 10

To disable the SIP ALG:

There are typically two VOIP profiles on a factory shipped Fortinet firewall. You may need to disable both profiles to fully stop the ALG.

config voip profile edit VoIP_Pro_2 config sip set status disable end end

_

How can we help you today?

How to disable SIP ALG in Fortinet routers Print

How can we help you today?

How to disable SIP ALG in Fortinet routers Print

Related Articles