Description | This article describes the difference in SIP inspection configuration and behavior between v7.0 and v7.2.5. |
Scope | FortiGate v7.2.5 or more recent. |
Solution |
SIP ALG stands for Session Initiation Protocol Application Layer Gateway. It is a feature that provides support for SIP sessions and offers a wide range of functionalities to protect the network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP messages, and provide detailed logging and reporting of SIP activity.
Additionally, SIP ALG can handle NAT (Network Address Translation) and RTP (Real-time Transport Protocol) pinholes, check SIP message order, and allow configurable header line length maximums. Depending on the user's SIP solution, it might be recommended by the VoIP provider to disable FortiGate's SIP ALG.
In FortiGate, SIP ALG is enabled by default. Below is the CLI command to verify that SIP ALG is enabled in the current FortiGate configuration:
show full system settings | grep default-voip
In the v7.0 branch, for SIP traffic to be inspected by SIP ALG, the firewall policy handling the traffic must be in proxy inspection mode and have a VoIP profile configured.
Below is a sample firewall policy configuration to inspect SIP traffic with SIP ALG:
config firewall policy edit 1 set srcintf "lan" set utm-status enable set inspection-mode proxy next end
In v7.0, if a similar firewall policy is not configured in the FortiGate, SIP traffic is not inspected by SIP ALG.
From v7.2.5, a new feature was introduced: SIP IPS profile as a complement to SIP ALG. As described in the release notes, the VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The voip-profile can be selected regardless of the inspection mode in the firewall policy.
This means that after an upgrade to v7.2.5 or more recent, SIP traffic will be inspected by default even if the firewall policy configuration is set to flow inspection mode.
If no VoIP profile is defined in the firewall policy, the 'default' VoIP profile is used for SIP ALG inspection.
To disable SIP traffic inspection by SIP ALG, either:
Option 1:
config system settings
Option 2:
config voip profile edit default config sip end end end
Note: To apply this configuration change to SIP traffic, it is necessary to clear all of the sessions for port 5060. Clearing 5060 sessions will drop all of the active calls passing through FortiGate.
diagnose sys session filter clear diagnose sys session filter dport 5060 diagnose sys session clear
diagnose sys session filter clear diagnose sys session filter sport 5060 diagnose sys session clear
Related articles: Technical Tip: SIP traffic and inspection mode in FortiOS 7.x (proxy / flow). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.