Description

This article presents a table matrix that helps to identify which inspection mode is used by FortiGate when handling SIP calls.

SIP calls are detected by the establishing port defined in system settings.

When SIP+TLS is used (or port 443), a deep-inspection profile must be added to policy to identify the traffic as an SIP call.

Scope

FortiOS: all supported versions to date (7.0.14, 7.2.8, 7.4.4)

This scenario applies to FortiGates where MSRP is not used (a feature introduced in v7.4.3). 

Solution

Reminder:

• SIP-ALG enabled / policy in proxy-mode: Troubleshooting is possible.
• SIP-ALG disabled / policy in flow-mode: No control, not many checks can be performed on FortiGate about SIP.
  
  

Additional important notes about session-helper
SIP session-helper should not be used!: Do not disable SIP-ALG (set default-voip-alg-mode kernel-helper-based). Read more here.

Whether the SIP session-helper is deleted or not, it will not influence SIP ALG operation (the recommended way).

It exists ONLY for compatibility reasons and was not yet completely removed.
SIP-ALG is a proxy-based feature, which means the policy handling SIP traffic must be in proxy-mode.
Flow-mode SIP (done by ipsengine) is only required when MSRP scanning is needed. Avoid if possible.

Note:

FortiGate is operating in NGFW and SIP.

There is no VoIP profile in NGFW-mode. By default, the VoIP profile 'default' is applied to detect calls but cannot be edited.

No new profile can be created and applied in this mode. If the 'diagnose sys sip-proxy stats' shows blocked calls/packets, the only solution is to try and disable SIP-ALG or switch to profile-based operation mode.