SIP ALG

This appears to be all you can do with it - FGT80C (sip) # set status enable SIP rtp create pinholes for RTP traffic to traverse firewall open-register-pinhole Open pinhole for REGISTER Contact port open-contact-pinhole Open pinhole for non-REGISTER Contact port strict-register only allow the registrar to connect register-rate REGISTER request rate limit (per second, per policy) invite-rate INVITE request rate limit (per second, per policy) max-dialogs maximum number of concurrent calls/dialogs (per policy) max-line-length maximum SIP header line length (78-4096) block-long-lines block requests with headers exceeding max-line-length block-unknown block unrecognized SIP requests (enabled by default) call-keepalive continue tracking calls with no RTP for this many minutes block-ack block ACK requests block-bye block BYE requests block-cancel block CANCEL requests block-info block INFO requests block-invite block INVITE requests block-message block MESSAGE requests block-notify block NOTIFY requests block-options block OPTIONS requests, and no OPTIONS as notifying message for redundancy either block-prack block prack requests block-publish block PUBLISH requests block-refer block REFER requests block-register block REGISTER requests block-subscribe block SUBSCRIBE requests block-update block UPDATE requests reg-diff-port open pinhole for Via port rfc2543-branch support via branch compliant with RFC 2543 log-violations enable logging of SIP violations log-call-summary enable logging of SIP call summary nat-trace preserve original ip in SDP i line subscribe-rate SUBSCRIBE request rate limit (per second, per policy) message-rate MESSAGE request rate limit (per second, per policy) notify-rate NOTIFY request rate limit (per second, per policy) refer-rate REFER request rate limit (per second, per policy) update-rate UPDATE request rate limit (per second, per policy) options-rate OPTIONS request rate limit (per second, per policy) ack-rate ACK request rate limit (per second, per policy) prack-rate PRACK request rate limit (per second, per policy) info-rate INFO request rate limit (per second, per policy) publish-rate PUBLISH request rate limit (per second, per policy) bye-rate BYE request rate limit (per second, per policy) cancel-rate CANCEL request rate limit (per second, per policy) preserve-override override i line to preserve original IPs (default: append) no-sdp-fixup no SDP fixup contact-fixup fixup contact anyway even if contact' s ip:port doesn' t match session' s ip:port max-idle-dialogs maximum number established but idle dialogs to retain (per policy) block-geo-red-options block OPTIONS requests, but OPTIONS requests still notify for redundancy hosted-nat-traversal Hosted NAT Traversal (HNT) hnt-restrict-source-ip Restrict RTP source IP to be the same as SIP source IP when HNT is enabled max-body-length maximum SIP message body length (0 meaning no limit) unknown-header action for unknown SIP header malformed-request-line action for malformed request line malformed-header-via action for malformed Via header malformed-header-from action for malformed From header malformed-header-to action for malformed To header malformed-header-call-id action for malformed Call-ID header malformed-header-cseq action for malformed CSeq header malformed-header-rack action for malformed RAck header malformed-header-rseq action for malformed RSeq header malformed-header-contact action for malformed Contact header malformed-header-record-route action for malformed Record-Route header malformed-header-route action for malformed Route header malformed-header-expires action for malformed Expires header malformed-header-content-type action for malformed Content-Type header malformed-header-content-length action for malformed Content-Length header malformed-header-max-forwards action for malformed Max-Forwards header malformed-header-allow action for malformed Allow header malformed-header-p-asserted-identity action for malformed P-Asserted-Identity header malformed-header-sdp-v action for malformed SDP v line malformed-header-sdp-o action for malformed SDP o line malformed-header-sdp-s action for malformed SDP s line malformed-header-sdp-i action for malformed SDP i line malformed-header-sdp-c action for malformed SDP c line malformed-header-sdp-b action for malformed SDP b line malformed-header-sdp-z action for malformed SDP z line malformed-header-sdp-k action for malformed SDP k line malformed-header-sdp-a action for malformed SDP a line malformed-header-sdp-t action for malformed SDP t line malformed-header-sdp-r action for malformed SDP r line malformed-header-sdp-m action for malformed SDP m line provisional-invite-expiry-time The expiry time (10-3600, in seconds) for provisional INVITE There' s also a SIP document - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=Fortigate-VOIP-SIP-40-MR2pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=11393521&stateId=0%200%2011391836

Ive got several Fortigate firewalls in use with a hosted pbx solution from a Telco provider that i had some similiar sip issues. I was getting registration timeouts intermitten disconnects etc. I ended removing the sip session helper and that fixed the issues.

The SIP Session Helper is not the SIP ALG. The SIP-Session helper is a very trivial implementation and is defined under # conf sys session-helper The SIP-ALG is its own " big" ALG, being set per Policy (VoIP Profile under UTM). It' s much more comprehensive - the CLI commands before are extracted from it. Ideally one would use the SIP-ALG, not the session-helper. -R.

Very good synopsis Red! Thank you for letting us all know.