The SIP Application Layer Gateway (ALG) is enabled by default on Fortigate firewalls. I have seen a number of phone systems have troubles with phones registering when this is enabled so the following steps can be used to disable the ALG. This is typically for hosted cloud-based phone systems where the phones have to register to a server hosted by a service provider and must traverse the firewall and NAT.
Backup the configuration before making these changes.
Run following commands from Fortigate firewall CLI:
config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
Next, we need to locate SIP entry in session helper list and delete it
config system session-helper show
Scroll down until you see an entry for SIP. In most cases I have seen this listed as 13.
delete 13
end
Here is the original configuration for this block if you have to restore it:
edit 13 set name sip set protocol 17 set port 5060
Finally, we disable the RTP protocol processing on the firewall:
config voip profile
edit default
config sip
set rtp disable
end
end
A reboot was required to make this all go into affect. Without the reboot, tests showed the ALG disabled, but calls were not working and phones did not register. This was a Fortigate running 6.0.4. Other times with 6.0.5 I have noticed that the rebooted was not required.