FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 211669
Description This article describes methods to choose SIP-ALG and Session Helper.
Scope SIP ALG/Session Helper.

By default, FortiGate is using SIP ALG to process SIP traffic however some SIP providers recommend disabling SIP ALG in the firewall.


Proxy-based – default SIP ALG mode
Kernel-helper-based – SIP session helper


Below are points that need to be understood:


If proxy-based is selected which is a default mode, then no matter if session helper is configured, ALG mode supersedes and session helper is doing nothing.

If kernel-helper-based is configured then it means that traffic is relying on session helper to assist the VOIP traffic.

Once session helper number 13 is deleted, and does not change default-voip-alg-mode proxy-based then basically traffic is relying on IPv4 policy. In other words, ALG is not configured and session helper is also not going to kick in since number 13 is deleted.

If for example under the VOIP profile, SIP is disabled but default-voip-alg-mode is set to proxy-based, then, in that case, the SIP session helper will be used and not the default ALG.

If firewall ipv4 policy has VoIP profile applied then SIP-ALG superseded over session-helper even if system setting is configured with 'set default-voip-alg-mode Kernel-helper-based'.

For the session-helper to kick in, make sure the VOIP profile is not enabled in the firewall ipv4 policy.




- For traffic inspected by a helper, debug flow shows:


run helper-ftp(dir=original)


run helper-ftp(dir=reply)

- For traffic matching an expected session, debug flow shows:

Find an EXP session, id 00016f90

- SIP real-time debug:


# diagnose debug application im 31
# diagnose debug application sip <debug level> <----- For example 31(1+2) as per below screenshot.
# diagnose debug enable