Disable SIP ALG on Fortinet-Fortigate Firewalls

Disable SIP ALG on Fortinet-Fortigate Firewalls

By default, a new Fortinet Firewall has SIP ALG enabled, a protocol to help with the voice-over-IP systems. Most of the time, this protocol causes issues with many SIP service providers, so it is recommended to disable it. 

The process to do so is depicted below:

1. Open the CLI interface for your Fortigate Firewall:
  1. Before making any changes be sure to backup your configuration.
2. In the CLI enter the following commands:
  1. Use the following commands for a device on FortiOS starting at 6.2.2
  2. config system settings
  3. set sip-expectation disable
  4. set sip-nat-trace disable
  5. set default-voip-alg-mode kernel-helper-based
  6. end

3. For devices below FortiOS version 6.2.2 use the following commands:
  1. config system settings
  2. set sip-helper disable
  3. set sip-nat-trace disable
  4. set default-voip-alg-mode kernel-helper-based
  5. end

4. If you encounter an error while entering set default-voip-alg-mode kernel-helper-based, ignore it.


5. Run the following commands:
  1. config system session-helper
  2. show
    1. Here you will want to find the entry for SIP, this is typically 12 or 13 but it may differ depending on the software version and model.
  3. delete 12
    1. If the entry found is 13 use delete 13 instead. 
  4. end

6. Enter the following commands in the CLI to disable RTP processing.
  1. config voip profile
  2. edit default
  3. config sip
  4. set rtp disable
  5. end
  6. end

7. Reboot your Fortigate Firewall. The reboot is needed to activate the changes we made with the config system session-helper command. 

8. Lastly, reboot all of your SIP Devices/Phones.
    • Related Articles

    • How to disable SIP ALG on SonicWALL Firewalls.

      Consistent NAT Click on VoIP Click on Settings Set Enable consistent NAT to enabled Every other checkbox on this page should be unchecked as well. Click Accept Advanced Firewall Settings Click on Firewall Settings Click on Advanced Set Enable Stealth ...
    • SIP ALG Issues with VoIP and why it should be disabled

      SIP ALG should be disabled for Voiceware VoIP system. Please note that on many routers and firewalls SIP ALG is by default enabled. To find out if SIP ALG is disabled, please download the attached file for Windows. 1. Make sure the Windows machine is ...
    • Disable SIP ALG - Ubiquiti EdgeRouter

      Disabling SIP ALG for Ubiquiti EdgeRouter User Interface Log in to EdgeMax User Interface The router default is set to 192.168.1.1 The default username and password: ubnt (Your IT admin likely updated the login credentials and default gateway IP ...
    • Disable SIP ALG - Ubiquiti EdgeRouter

      1. Log in to EdgeMax User Interface 1. The router default is set to 192.168.1.1 2. The default username and password: ubnt (Your IT admin likely updated the login credentials and default gateway IP address) 2. Select System -> Conntrack -> Modules -> ...
    • Supported Phones Models on Voiceware Platform

      Below are the current supported devices that can be used with Voiceware Platform. Newer models will be added when they become available. Brand and Models: 1. Cisco Cisco 6841 * Cisco 6851 * Cisco 7811 * Cisco 7821 * Cisco 7841 * Cisco 7861 * Cisco ...