By default, a new Fortinet Firewall has SIP ALG enabled, a protocol to help with the voice-over-IP systems. Most of the time, this protocol causes issues with many SIP service providers, so it is recommended to disable it.
The process to do so is depicted below:
1. Open the CLI interface for your Fortigate Firewall:- Before making any changes be sure to backup your configuration.
2. In the CLI enter the following commands:- Use the following commands for a device on FortiOS starting at 6.2.2
- config system settings
- set sip-expectation disable
- set sip-nat-trace disable
- set default-voip-alg-mode kernel-helper-based
- end
3. For devices below FortiOS version 6.2.2 use the following commands:
- config system settings
- set sip-helper disable
- set sip-nat-trace disable
- set default-voip-alg-mode kernel-helper-based
- end
4. If you encounter an error while entering set default-voip-alg-mode kernel-helper-based, ignore it.
5. Run the following commands:
- config system session-helper
- show
- Here you will want to find the entry for SIP, this is typically 12 or 13 but it may differ depending on the software version and model.
- delete 12
- If the entry found is 13 use delete 13 instead.
- end
6. Enter the following commands in the CLI to disable RTP processing.
- config voip profile
- edit default
- config sip
- set rtp disable
- end
- end
7. Reboot your Fortigate Firewall. The reboot is needed to activate the changes we made with the config system session-helper command.
8. Lastly, reboot all of your SIP Devices/Phones.