Skip to main content
HSP_sfra
HSP_sfra
New Member
April 27, 2018
Question

SIP ALG per policy

  • April 27, 2018
  • 2 replies
  • 10589 views

Hello, we have acquired a new cloud based VOIP solution and its required that we disable SIP ALG on the firewall. I would prefer not having to do that for the entire firewall.

 

Is there any way to disable SIP ALG for a single ipv4 policy? We use a Fortigate 800c with OS 5.4.  

 

Thanks in advance,

 

Scott 

    2 replies

    Bubu
    Bubu
    New Member
    April 27, 2018

    Hi Scott,

    No unfortunately, you cannot enable/disable per interface, it is a system setting. The only solution I see for you, in order to keep both, is to create multiple VDOMs and enable the ALG on one and disable it on the other.

    Best regards,

    Bubu

    DSC
    DSC
    New Member
    April 28, 2018

    Hi you can do it with this voip profile in the matching policy!

     

    config voip profile    edit "VoIP_ALG_Off"         config sip             set status disable             set strict-register disable         end     next

     

    and read

    http://kb.fortinet.com/kb...ateId=1%200%2033716132

    HSP_sfra
    HSP_sfraAuthor
    New Member
    April 30, 2018

    Daniel.Schuessler@infoteq.de wrote:

    Hi you can do it with this voip profile in the matching policy!

     

    config voip profile   edit "VoIP_ALG_Off"        config sip            set status disable            set strict-register disable        end    next

     

    and read

    http://kb.fortinet.com/kb...ateId=1%200%2033716132

    That worked perfect, thank you!

     

    I never saw the VoIP profile option as it was not a feature we had enabled in the System > Feature Select tab. 

    saneeshpv_FTNT
    Staff
    saneeshpv_FTNT
    Staff
    May 6, 2018

    HI,

     

    Just FYI

     

    https://docs.fortinet.com...1/fortigate-sip-56.pdf\

    Fortigate Support two features one is SIP_ALG configured by creating a VOIP profile, other one is SIP Session Helper

    If there is no profile applied to policy the default Systems settings will determine who is going to handle the VOIP traffic (SIP ALG or SIP Session Helper)

     

    config system settings set default-voip-alg-mode proxy-based                    << this will say ALG will handle Traffic end

     

    config system settings set default-voip-alg-mode kernel-helper-based        << This will tell SIP Session Helper will handle the VOIP traffic. end

     

    You may use the method provide in earlier update to disable SIP ALG per policy.

     

    If you are using SIP helper you can still disable the SIP session Helper per policy (Supported from 5.4.5 onwards)

     

    1. add a new service, disable session helper : config firewall service custom     edit "ALL_nohelper"         set protocol IP         set helper disable     next end 2. Call this Service under Firewall policy: config firewall policy     edit 3             set service "ALL_nohelper"     next

     

    Hope it was useful

     

    Regards,

    Saneesh

    Terms & ConditionsAccessibility statement