Description

This article describes that Fortinet recommends disabling the SIP session-helper (Layer4) and using the SIP Application Layer Gateway (ALG) (Layer7).
Currently supported FortiOS versions have SIP-ALG enabled by default.
If SIP-ALG was disabled on a recent firmware, enable it with:

config system settings
    set default-voip-alg-mode proxy-based
end

While disabling SIP-ALG is a simple command, note that enabling SIP-ALG requires a reboot of the FortiGate in some cases. 

If the statistics for the 'diagnose sys sip-proxy stats' are not increasing with the calls, then a reboot is necessary.

Reading further, this article is intended for older FortiOS firmware, though similar steps apply.

Scope

FortiGate.

Solution

Until FortiOS v5.0, session-helper was the default SIP inspection mechanism.

Starting with FortiOS v5.2, SIP-ALG is enabled by default.
It is not necessary to apply a VoIP profile to a Firewall policy to apply SIP ALG. When SIP traffic is detected, the 'default' VoIP profile is used by FortiGate.

The default VoIP profile can be modified from the default settings.
This, for example, makes FortiGate use SIP session-helper for SIP (but keep SCCP and other voice traffic under SIP-ALG inspection):

config voip profile

    edit default

        config sip
            set status enable/disable

        end

end

The procedure to enable the ALG profile before FortiOS v5.2:
 

1. Check the session-helper number:

show system session-helper
    edit 12 [*]
        set name sip
        set port 5060
        set protocol 17
    next

[*] Use this ID for the next step.
 

2. Remove this session-helper:

config system session-helper

(session-helper) delete 12

(session-helper) end  

3. Reboot the FortiGate for the above changes to take effect.
   
   
4. Enable the VoIP Feature from WebGUI under System -> Config -> Features.
   
   
5. Create a VoIP Profile with SIP enabled.

 
Note:
Instructions below are for FortiOS firmware versions 4.0 to 5.2.
Enter the following command to a VoIP Profile for SIP, limit REGISTER and INVITE requests to 100 requests per second per firewall policy (values are given as an example).

config voip profile
    edit "test"

        config sip
            set register-rate 100
            set invite-rate 100
            set block-long-lines disable
            set block-unknown disable
        end

    next

end

6. Enable this Protection Profile in the appropriate Firewall Policy(ies), for example.

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"            
        set dstaddr "all"            
        set action accept
        set schedule "always"
        set service "ANY"            
        set utm-status enable
        set voip-profile "test"
        set profile-protocol-options "default"
        set nat enable
    next
end

Related documents:

• VoIP solutions
• VoIP solutions
• FortiGate SIP
• FortiGate VoIP SIP
• Technical Tip: Disabling VoIP Inspection
• Technical Tip: VOIP calls (using SIP)
• Techincal Tip: SIP useful Commands
• Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
• Technical Tip: How to use the SIP ALG to prevent unwanted calls
• SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
• Troubleshooting Tip: One way Audio issue in VOIP (with SIP ALG)