HowTo Disable SIP/VOIP helper/alg on Fortigate

Disabling SIP ALG


  1. Open the CLI interface for your Fortigate Firewall
    1. Before making any changes be sure to backup your configuration
  2. In the CLI enter the following commands
    1. Use the following commands for a device on FortiOS starting at 6.2.2
    2. config system settings
    3. set sip-expectation disable
    4. set sip-nat-trace disable
    5. set default-voip-alg-mode kernel-helper-based
    6. end
  3. For devices below FortiOS version 6.2.2 use the following commands
    1. config system settings
    2. set sip-helper disable
    3. set sip-nat-trace disable
    4. set default-voip-alg-mode kernel-helper-based
    5. end
  4. If you encounter and error while entering set default-voip-alg-mode kernel-helper-based go ahead and ignore it
  5. The rest of the configuration will be the same for all FortiOS versions
  6. Run the following commands
    1. config system session-helper
    2. show 
      1. Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on software version and model
    3. delete 12
      1.  Alternatively use the entry you found in the previous step
    4. end
  7. Enter the following commands in the CLI to disable RTP processing
    1. config voip profile
    2. edit default
    3. config sip
    4. set rtp disable
    5. end
    6. end
  8. Once done go ahead and reboot the device, Fortigate firewalls do not require a reboot when you change configuration but in this case, we will need the reboot to activate the session helper changes
  9. Lastly, reboot all of your SIP Devices/Phones

see here https://voipdocs.io/en/articles/316-disabling-sip-alg-on-a-fortigate-firewall

sduncan