SIP ALG stands for Session Initiation Protocol Application Layer Gateway.

It is a feature that provides support for SIP sessions and offers a wide range of functionalities to protect the network from SIP attacks, apply rate limiting to SIP sessions, check the syntax of SIP messages, and provide detailed logging and reporting of SIP activity.

Additionally, SIP ALG can handle NAT (Network Address Translation) and RTP (Real-time Transport Protocol) pinholes, check SIP message order, and allow configurable header line length maximums.

Depending on the user's SIP solution, it might be recommended by the VoIP provider to disable FortiGate's SIP ALG.

In FortiGate, SIP ALG is enabled by default.

Below is the CLI command to verify that SIP ALG is enabled in the current FortiGate configuration:

show full system settings | grep default-voip
    set default-voip-alg-mode proxy-based

In the FortiOS 7.0 branch, for SIP traffic to be inspected by SIP ALG, the firewall policy handling the traffic must be in proxy inspection mode and have a VoIP profile configured.

Below is a sample firewall policy configuration to inspect SIP traffic with SIP ALG:

config firewall policy

    edit 1

        set srcintf "lan"
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "SIP"

        set utm-status enable

        set inspection-mode proxy
        set voip-profile "default"
        set nat enable

    next

end

In v7.0, if a similar firewall policy is not configured in the FortiGate, SIP traffic is not inspected by SIP ALG.

From 7.2.5, a new feature was introduced: SIP IPS profile as a complement to SIP ALG.

As described in the release notes, the VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The voip-profile can be selected regardless of the inspection-mode in the firewall policy.

This means that after an upgrade to version 7.2.5 or more recent, SIP traffic will be inspected by default even if the firewall policy configuration is set to flow inspection mode.

If no VoIP profile is defined in the firewall policy, the 'default' VoIP profile is used for SIP ALG inspection.

To disable SIP traffic inspection by SIP ALG either:

Option 1:

•  Set default-voip-alg-mode to kernel-based.

config system settings
    set default-voip-alg-mode kernel-based    ---> The default is proxy-based.
end

Option 2:

• Disable SIP in the 'default' voip profile.

config voip profile

    edit default

        config sip
            set status disable

  end

end

end

Note: To apply this configuration change to SIP traffic, it is necessary to clear all of the sessions for port 5060.

Clearing 5060 sessions will drop all of the active calls passing through FortiGate.

diag sys session filter  clear

diag sys session filter dport 5060

diag sys session clear

diag sys session filter  clear

diag sys session filter sport 5060

diag sys session clear

Related articles:

• Technical Tip: SIP traffic and inspection mode in FortiOS 7.x (proxy / flow).
• Technical Tip: Disabling VoIP Inspection