Disabling VoIP Inspection

Products
FortiGate v5.2

Description
In most cases, Fortinet recommends the use of SIP/SCCP proxy/ALG.

Use of an Application Layer Gateway (ALG), allows for

1) modification of IP addresses in the application payload when NAT is used
2) dynamic opening of data ports ("pinholes") as required to allow audio traffic. Otherwise, firewall policies
need to statically open a wide range of ports.
3) inspection and logging of VoIP traffic (is using ALG/Proxy instead of session-helper)

For more details on the benefits of the SIP ALG in FortiOS, as well as information on how to troubleshoot SIP
issues, please consult the VoIP Solutions handbook.

That said, this article explains how to disable use of SIP or SCCP proxy/ALG or session helper (legacy
ALG). In this mode, FortiGate will be acting as a basic firewall.

Reasons to disable VoIP inspection might include:

1) troubleshooting (to isolate the problem)
2) as a workaround, either to address incorrect FortiGate SIP ALG behavior or to allow non-standard SIP
handling in the overall VoIP deployment
Solution

In FortiOS 5.2, the FortiOS default is for all SIP traffic to be handled by the FortiOS proxy/ALG.
See related article "SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2"

note: In FortiOS 5.0, if no VoIP profile was applied, the SIP session helper would be applied.

Preparation:
In preparation for removing SIP proxy & session helper functionality, two additional steps are required.

1) Modify SIP server (if NAT is used)

If the SIP traffic is NAT'd when passing through the FortiGate, the SIP server must be configured to use its
public IP address in the application header. All other VoIP equipment must also refer to the SIP server by its
public IP.

2) Open up firewall policies on the FortiGate

Firewall policies must now explicitly allow all UDP ports to be opened for the audio traffic (and not only the SIP
or SCCP control ports).

Step #1 – Removing the session helper.

A. Run the following commands:

config system session-helper

show

Amongst the displayed setting will be one similar to the following example:

edit 13
 set name sip
set protocol 17
set port 5060

B. in this example the next commands would be:

delete 13
end

Step #2 - change the default –voip –alg-mode.

Run the following commands:

config system settings

set default-voip-alg-mode kernel-helper based
end

Step #3 – Either reboot or clear sessions to make sure changes take

effect

a) To clear sessions run the command:

Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only
deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know
the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.

diagnose system session filter ...

See: "Troubleshooting Tip : FortiGate Firewall session list information"

The command to clear sessions applies to ALL session unless a filter is applied, and therefore will interrupt
traffic.

diagnose system session clear

b) Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:

execute reboot