1. Run the debug flow on the FortiGate CLI console.
   
   

diag debug reset 
diag debug disable
diag debug flow sho fun en
diag debug flow sho iprop en
diag debug flow filter saddr 10.255.53.220
diag debug flow trace start 99999999
diag debug en

2. Check the next hop IP where the SIP server 10.255.53.220 routes the SIP packets.

   As shown on the debug flow output SIP server 10.255.53.220 was routing/pointing the SIP packet towards FGT port1 local interface 172.17.100.5.

    

   # id=65308 trace_id=746 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 10.255.53.220:5060->172.17.100.5:5060) tun_id=0.0.0.0"

    

   The FortiGate was able to receive SIP packets however, it dropped it as the FortiGate was not able to process the SIP packet as it is not a PBX device.

    

   id=65308 trace_id=746 func=__iprope_check_one_policy line=2047 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
   id=65308 trace_id=746 func=__iprope_check_one_policy line=2265 msg="policy-4294967295 is matched, act-drop"
   id=65308 trace_id=746 func=__iprope_check line=2312 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000001, flag2-00000000"
   id=65308 trace_id=746 func=iprope_policy_group_check line=4755 msg="after check: ret-matched, act-drop, flag-00000001, flag2-00000000"

    

   Policy-4294967295 refers to a local in policy. 

   Reference: Technical Note: FortiView policy 4294967295

    

   The same output with packet sniffer, SIP server were routing the packets towards FortiGate local interface.

    

   dia sniffer packet any "host 10.255.53.220 and port 5060" 6 0 l
   interfaces=[any]
   filters=[host 10.255.53.220 and port 5060]
   2024-08-07 12:42:33.378218 port10 in 10.255.53.220.5060 -> 172.17.100.5.5060: udp 881

    

    

3. In this case SIP server should route the SIP packet towards the cloud PABX so it may able to process the outbound calls/SIP packets.

   Once the SIP server admin applies these changes, outbound calls should now be working.