Troubleshooting Tip: FortiGate changing SDP media IP & port randomly when SIP-ALG is enabled
| Description | This article describe an issue where FortiGate firewall changes SDP Media IP & port randomly. |
| Scope | FortiGate 7.2.x, 7.4.x & 7.6.x. |
| Solution | It has been observed that when SIP-ALG is enabled and SIP traffic passes through FortiGate firewall, the SDP media IP & port information is altered if the destination port is other than 5060.
Ingress SDP packet: 
Egress SDP packet:
This happens because SIP-ALG only listens on destination port 5060. For SIP traffic on ports other than 5060, SIP ALG does not handle it, even if a VOIP-profile is configured for that policy.
When 'set helper sip' is configured under the service, SIP traffic is also not handled by SIP-ALG but by SIP kernel helper, which is no longer supported.
edit "SIP_5060-5100" set helper sip set udp-portrange 5060-5100 next Currently, FortiGate firewall SIP-ALG supports two ports at maximum. This can be configured with the following command:
config system settings set sip-udp-port 5060 5070 set gui-voip-profile enable end |