FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Description This article describes how a FortiGate setup with SIP-ALG enabled handles network packets with QoS markings, as well as how to prevent these markings from being stripped.
Scope FortiGate with FortiOS 5.x, 6.x and 7.x.
Solution

The following diagram illustrates a typical topology for a VoIP connection with FortiGate:

 

FortiGate_VOIP.png

In this instance, the network administrator's goal is to ensure bidirectional end-to-end QoS markings between the Client's VoIP solution and the VoIP server.

On the branch FortiGate, SIP proxy features are disabled. This means inspection of SIP traffic is not performed. The hub FortiGate has SIP proxy features enabled, which means all SIP traffic is inspected.

 

Since the branch device does not inspect SIP traffic, SIP packets will ingress through the LAN port and egress to the MPLS port with the same DSCP values that were generated by the client.
However, when SIP ALG is enabled on a device, network traffic loses the DSCP values before inspection at the hub FortiGate. Traffic arrives with the correct markings on the hub's MPLS port but exits towards the LAN port for the Voice server without any.

 

To prevent DSCP markings being stripped, a network administrator can enable the Flow-Based SIP inspection feature implemented in version 7.0 of FortiOS. See the documentation for more information.