Description

Solution

By default, FortiGate is using SIP ALG to process SIP traffic.

Verify it by checking the configuration and counters:

FortiGate # show full system setting | grep default-voip-alg-mode
set default-voip-alg-mode proxy-based

Proxy-based         <----- Default SIP ALG mode.
Kernel-helper-based <----– SIP session helper.

To verify counters based on the mode:

1. If SIP Sessions Helper is handling the SIP traffic, the command below will display counters:
   
   FortiGate # diag sys sip status
   dialogs: max=131072, used=0
   mappings: used=0
   dialog hash by ID: size=8192, used=0, depth=0
   dialog hash by RTP: size=8192, used=0, depth=0
   mapping hash: size=8192, used=0, depth=0
   count0: 0
   count1: 2
   count2: 10
   count3: 0
   count4: 0
   
   
2. If SIP ALG is handling the SIP traffic, the command below will display counters:
   
   

FortiGate # diag sys sip-proxy stat

sip stats

vdom name: root
---------------------------
     active-sessions: 1
     calls-attempted: 57
     calls-established: 27
     calls-failed: 30

     calls-active: 0
     registers-active: 1
              |     received  |     blocked   |  unknown form |  long headers
     req-type |    req    resp|    req    resp|    req    resp|    req    resp
     UNKNOWN         0   47227       0   47227       0   47227       0       0
     ACK            86       0       0       0       0       0       0       0
     BYE            27      27       0       0       0       0       0       0
     CANCEL         14      14       0       0       0       0       0       0
     INFO            0       0       0       0       0       0       0       0
     INVITE        107     223       0       0       0       0       0       0
     MESSAGE         0       0       0       0       0       0       0       0
     NOTIFY       5789    5788       0       0       0       0       0       0
     OPTIONS         0       0       0       0       0       0       0       0
     PRACK           0       0       0       0       0       0       0       0
     PUBLISH     10371     802       0       1       0       0       0       0
     REFER           2       2       0       0       0       0       0       0
     REGISTER   100678   81543      25       0      25       0       0       0
     SUBSCRIBE   19857   13333       0       2       0       0       0       0
     UPDATE          0       0       0       0       0       0       0       0
     PING            0       0       0       0       0       0       0       0

To verify based on the session created by the SIP port :

First filter and display the session:

diag sys session filter dport 5060

diag sys session filter dst x.x.x.x (public IP of the SIP provider)

diag sys session list

Then look for the flags:

1. If the session has an 'ndr' flag -> flow SIP (ips) handles the traffic.
   
2. If the session has 'redir' and 'local' flags -> SIP ALG handles the traffic.
3. If the session only has "helper=sip" -> SIP kernel helper (session-helper) handles the traffic.
4. If the session has 'helper=20' or 'helper=24' -> SIP ALG handles the traffic.

Related documents:
VoIP solutions 6.4.5
VoIP solutions 6.2.7
FortiGate sip 603
FortiGate VOIP sip 521

Related Articles:

Technical Tip: VOIP calls (using SIP)

Technical Tip: Disabling VoIP Inspection

Techincal Tip: SIP useful Commands

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: How to use the SIP ALG to prevent unwanted calls

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2