For the SIP traffic from the phone on LAN to remote phone with SNAT enabled on FortiGate  below will be the translated IP:

(IP header) src IP: 160.223.8.214(translated due to SNAT)
(IP header) dst IP: 96.48.132.250 (remote device)

(SDP header) connection IP inside the invite packet: 10.1.24.101- without sip helper

(SDP header) connection IP inside the invite packet: 160.223.8.214- with sip helper or sip-alg

With the sip-helper or sip-alg the connection IP in the packet will also translate to the IP 160.223.8.214. The session-helper will create two expected/pin-hole sessions(timeout 30 secs) on FortiGate from source IP 96.48.132.250 to 160.223.8.214.

The SIP protocol utilizes separate control and data channels. For each call, it requires four data channels—two for each direction of communication.

Below commands to collect sip debugs:

diagnose debug disable

diagnose debug reset
diagnose debug application sip -1
diagnose debug enable

For the above flow below sip debugs shows FortiGate creating Pinhole session based on the RTP offer in the SDP header:

2025-06-14 15:10:25 sip sess 0x7fe968939000 vd 0 vrf 0 pinhole (nil) add UDP DNAT 96.48.132.250:0 -> 160.223.8.214:38593 (10.1.24.101:38737)
2025-06-14 15:10:25 sip sess 0x7fe968939000 vd 0 vrf 0 pinhole (nil) add UDP SNAT 10.1.24.101:0 -> 96.48.132.250:6417 (160.223.8.214:38593)
2025-06-14 15:10:25 sip sess 0x7fe968939000 vd 0 vrf 0 pinhole (nil) add UDP DNAT 96.48.132.250:0 -> 160.223.8.214:38592 (10.1.24.101:38736)
2025-06-14 15:10:25 sip sess 0x7fe968939000 vd 0 vrf 0 pinhole (nil) add UDP SNAT 10.1.24.101:0 -> 96.48.132.250:6416 (160.223.8.214:38592)

To ensure a successful two-way audio call, there must be a session table entry for each pinhole:

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=39->0/33->39 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 96.48.132.250:0->160.223.8.214:38593(10.1.24.101:38737)
misc=0 policy_id=8 pol_uuid_idx=1519 auth_info=0 chk_client_info=0 vd=0

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=33->39/39->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.24.101:0->96.48.132.250:6417(160.223.8.214:38593)
src_mac=bc:26:c7:29:c4:07
misc=0 policy_id=8 pol_uuid_idx=1519 auth_info=0 chk_client_info=0 vd=0
serial=25c65a15 tos=ff/ff app_list=0 app=30251 url_cat=0

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=39->0/33->39 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 96.48.132.250:0->160.223.8.214:38592(10.1.24.101:38736)
misc=0 policy_id=8 pol_uuid_idx=1519 auth_info=0 chk_client_info=0 vd=0

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=33->39/39->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.24.101:0->96.48.132.250:6416(160.223.8.214:38592)
src_mac=bc:26:c7:29:c4:07
misc=0 policy_id=9 pol_uuid_idx=1519 auth_info=0 chk_client_info=0 vd=0
serial=25c65a15 tos=ff/ff app_list=0 app=30251 url_cat=0

If the session table doesn't show the same number of entries as the pinhole sessions, it can result in no audio or a one-way audio issue.

Related articles:

• Technical Tip: Session helpers and expectation sessions
• Technical Tip: SIP useful Commands
  Technical Tip: VOIP calls (using SIP)
• Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
• Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG