Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JHelio
Staff
Staff

Created on ‎02-22-2023 09:46 PM Edited on ‎03-27-2025 10:58 PM By Community Manager

Article Id 246687

Technical Tip: How to apply VoIP profile to policy where no SIP inspection is required

Description

This article describes how to apply VoIP profile where SIP inspection is not required for specific traffic crossing IPv4 policy.

 

The latest FortiGate versions have by default VoIP SIP ALG enabled globally and sometimes the FortiGate needs to handle more than one VoIP solutions where one solution will need SIP ALG active and other VoIP solutions will not be required.

 

Default FortiGate configuration:

 

config system settings
    set default-voip-alg-mode proxy-based  <----- SIP ALG enabled.
end

 

Note:

If ALG mode is set in Kernel mode, Firewall policy is still required in Proxy mode to use a different VOIP profile.

The below change need to apply in the Kernel Mode.

 

config firewall service custom
(custom) edit SIP-Helper-disable
(Helper-disable) set udp-portrange 5060
(Helper-disable) set helper disable
(Helper-disable) next

 

If a specific traffic flow is required to pass without SIP ALG inspection active, this can also be accomplished by adding the following VoIP profile to the IPv4 policy which allows this traffic. Note that the VoIP profile that is applied has the SIP inspection disabled. If such a profile is not used, FortiGate will detect the SIP traffic and apply the 'default' VoIP profile even if not applied in the policy:

 

  1. Create VoIP profile with no SIP inspection by CLI:

 

config voip profile
    edit "VoIP_ALG_Off"

        config sip

            set status disable <----- Disable SIP inspection.

            set rtp disable <----- Avoid RTP pinholes creation.

    end
next

 

To maintain SIP inspection while disabling SDP, the configuration of the VoIP profile changes as follows.

 

config voip profile

    edit "Disable-SDP"

        config sip

            set no-sdp-fixup enable <----- Disable SDP modification/translation
        end

    next

  

Turns off FortiGate's automatic modification of SDP information in SIP packets. Prevents the firewall from rewriting:

 

  • The connection (c=) line in SDP
  • The media (m=) line in SDP
  • IP addresses and ports in the SDP payload

 

The configuration tells the FortiGate not to modify or translate SDP messages in SIP traffic.

 

It can be helpful when:

  • Faces issues with SIP calls not connecting properly due to FortiGate's SDP modification.
  • The network would require having unmodified SDP messages to function correctly.
  • The intention is to prevent FortiGate from altering media connection information in SIP messages.
                    .                
  1. Assign such VoIP profile to the policy desired:

 

ALG.PNG

 

By CLI:

 

config firewall policy
    edit 1
        set name "disable VoIP"
        set utm-status enable
        set voip-profile "VoIP_ALG_Off" <----- VoIP profile assigned.
next

 

Note:

Enable VoIP feature from System -> Feature Visibility -> VoIP.

 

voip.PNG

 
Scope FortiGate.
Solution

Having different VoIP profiles where one has SIP ALG disabled and the other enabled, provides granularity to to decide which traffic needs SIP inspection active and which is not active at the Firewall Policy desired.

 

voip2.PNG

 

 

18803
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.