Skip to main content

VoIP Clients with Fortigates

(2017-01-11)

Problem

VoIP Clients with FortiGates

Solution

Disable the SIP ALG

config system settings
set sip-helper disable
set sip-nat-trace disable
end
config system session-helper
show    (locate the SIP entry, usually 13, but can vary)
delete 13 (or the number that you identified from the previous command)
end
config system settings
set default-voip-alg-mode kernel-helper-based
end​

Then reboot the firewall in order for all the above changes to take effect

Alternatively

...a cheatsheet I found:

  1. remove SIP, RAS, and H323, usually by:
    config system session-helper
    delete 13
    delete 3
    delete 2
    end
  1. disable sip helper and nat trace
    config system settings
    set sip-helper disable end
    set sip-nat-trace disable end
    end
  1. edit voip profile
    config voip profile
    edit default config
    sip set status disable
    end
    end
  1. Flush ARP cache
    execute clear system arp table
  1. nuclear option, reset all sessions
    diagnose sys session clear

Bonus

Verify SIP ALG is off using these commands:

d sys sip mapping
d sys sip-proxy calls

The first should be blank, and the second should return an error:

sip calls
Could not connect to imd monitor on /tmp/imd_monitor_socket