How to disable SIP ALG on a Fortigate Firewall
The following article will show you how to disable the SIP ALG setting on a Fortigate Firewall.
Requirements:
- CLI access to the Fortigate Firewall
Disable SIP ALG
Section titled “Disable SIP ALG”- Open the CLI interface for your Fortigate Firewall
- Before making any changes be sure to backup your configuration
- Use the following commands for a device on FortiOS starting at 6.2.2
config system settings set sip-expectation disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end - For devices below FortiOS version 6.2.2 use the following commands
config system settings set sip-expectation disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end - If you encounter and error while entering
set default-voip-alg-mode kernel-helper-basedgo ahead and ignore it - The rest of the configuration will be the same for all FortiOS versions
- Run the following commands
config system session-helper show- Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on software version and model
delete 12 - Alternatively use the entry you found in the previous step
end
- Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on software version and model
- Enter the following commands in the CLI to disable RTP processing
config voip profile edit default config sip set rtp disable end end - Once done go ahead and reboot the device, Fortigate firewalls do not require a reboot when you change configuration but in this case, we will need the reboot to activate the session helper changes
- Lastly, reboot all of your SIP Devices/Phones