Technical Tip: How to verify if SIP traffic is being inspected by FortiGate

it is possible to check if the SIP traffic is inspected by the FortiGate by running the following commands:

For SIP-ALG (proxy):

diag sys sip-proxy stat

FortiGate # diag sys sip-proxy stat

sip stats
vdom name: root
---------------------------
     active-sessions: 1
     calls-attempted: 57
     calls-established: 27
     calls-failed: 30
     calls-active: 0
     registers-active: 1
              |     received  |     blocked   |  unknown form |  long headers
     req-type |    req    resp|    req    resp|    req    resp|    req    resp
     UNKNOWN         0   47227       0   47227       0   47227       0       0
     ACK            86       0       0       0       0       0       0       0
     BYE            27      27       0       0       0       0       0       0
     CANCEL         14      14       0       0       0       0       0       0
     INFO            0       0       0       0       0       0       0       0
     INVITE        107     223       0       0       0       0       0       0
     MESSAGE         0       0       0       0       0       0       0       0
     NOTIFY       5789    5788       0       0       0       0       0       0
     OPTIONS         0       0       0       0       0       0       0       0
     PRACK           0       0       0       0       0       0       0       0
     PUBLISH     10371     802       0       1       0       0       0       0
     REFER           2       2       0       0       0       0       0       0
     REGISTER   100678   81543      25       0      25       0       0       0
     SUBSCRIBE   19857   13333       0       2       0       0       0       0
     UPDATE          0       0       0       0       0       0       0       0
     PING            0       0       0       0       0       0       0       0

For session-helper (kernel-helper-based):

diag sys sip status

FortiGate # diag sys sip status
dialogs: max=131072, used=0
mappings: used=0
dialog hash by ID: size=8192, used=0, depth=0
dialog hash by RTP: size=8192, used=0, depth=0
mapping hash: size=8192, used=0, depth=0
count0: 0
count1: 2
count2: 10
count3: 0
count4: 0

More details are visible here: Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Alternatively, this can be checked at the session level. In a FortiGate CLI window, run the following commands to get a list of all existing SIP sessions running on port 5060:

diagnose sys session filter clear

diagnose sys session filter dport 5060

diagnose sys session list

In the output for each session, examine the line starting with 'class_id=':

• If the line contains a tag 'helper=sip', then FortiGate is inspecting SIP traffic using the SIP Session-Helper feature:

class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255

• If the line contains a tag 'helper=20', then FortiGate is inspecting SIP traffic using the SIP ALG feature:

class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=20 vlan_cos=0/255

• If the line does not contain a tag 'helper', FortiGate is not inspecting SIP traffic:
  
  

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

If it is inspected by the session helper, it can be checked using the command below:

diagnose sys session list expectation