Disabling SIP ALG on FortiGate Firewalls

SIP ALG (Application Layer Gateway) is a feature commonly found in network devices, including FortiGate firewalls, that attempts to assist with the translation of SIP (Session Initiation Protocol) traffic. However, in many cases, SIP ALG can cause issues with VoIP communication and lead to call quality problems. Disabling SIP ALG is recommended when dealing with VoIP services like SIP-based VoIP calls. This knowledge base article provides step-by-step instructions on how to disable SIP ALG on FortiGate firewalls.

Prerequisites

  1. Access to FortiGate Firewall: You must have administrative access to the FortiGate firewall’s web-based management interface.
  2. Knowledge of SIP and VoIP: Understanding SIP and VoIP concepts will help you understand the implications of disabling SIP ALG.

Configuration Steps

Step 1: Log into the FortiGate Web Interface

  1. Open a web browser and enter the IP address of the FortiGate firewall in the address bar.
  2. Log in using your administrator credentials.

Step 2: Disable SIP ALG

  1. In the FortiGate web interface, navigate to “Security Profiles” and then click on “Application Control.”
  2. In the “Application Overrides” section, look for “SIP.” This is where SIP ALG settings are configured.
  3. Locate the “SIP ALG” option and make sure it is disabled. If it’s already disabled, you’re good to go. If it’s enabled, disable it by unchecking the box.

Step 3: Verify and Save Changes

  1. After disabling SIP ALG, verify that the changes have been saved. Double-check the “SIP ALG” option to ensure it remains disabled.
  2. If you’re using multiple FortiGate firewalls in a cluster or high availability setup, make sure to disable SIP ALG on all applicable devices.

Step 4: Monitor VoIP Traffic

  1. Test your VoIP services to ensure that disabling SIP ALG hasn’t caused any issues with call quality or connectivity.
  2. Monitor your VoIP traffic over a period of time to ensure that the disabling of SIP ALG has resolved any previous problems caused by its interference.

Step 5: Revert or Adjust if Necessary

  1. If you encounter any unforeseen issues after disabling SIP ALG, you may need to revert the change temporarily while you investigate the problem.
  2. If necessary, you can consult FortiGate documentation or support resources for additional guidance on troubleshooting and configuration adjustments.

Conclusion

Disabling SIP ALG on FortiGate firewalls is a recommended step when dealing with SIP-based VoIP services to ensure better call quality and connectivity. SIP ALG interference can lead to various issues, and disabling it can help mitigate these problems. By following the steps outlined in this knowledge base article, you can effectively disable SIP ALG in your FortiGate firewall and monitor the impact on your VoIP services. Remember that proper testing and monitoring are essential to ensuring the success of this configuration change.