Technical Tip: When to use each VoIP ALG mode setting on FortiGate

The following VoIP modes are available on the FortiGate firewall:

1. kernel-helper-based
2. proxy-based

See the FortiGate documentation page for an explanation of these settings.

Use the following CLI command to review the VOIP mode:

config system settings

set default-voip-alg-mode

The query will return the following:

proxy-based: Use a default proxy-based VoIP ALG.

kernel-helper-based: Use the SIP session helper.

1. kernel-helper-based.

• A SIP session helper is used when the firewall is processing VOIP traffic in kernel-helper—based.
• SIP session helpers run in the Kernel.

An SIP session helper is used when traffic does not match a policy that includes a VOIP security profile and the VOIP mode is set to kernel-helper-based.

2. proxy-based.

• proxy-based is set by default.
• SIP ALG is used when the firewall is processing VOIP traffic in proxy-based mode.
• SIP ALG runs as a user space process.

SIP ALG is used in the following conditions:

• If traffic matches a policy that includes a VOIP security profile as shown below. SIP ALG is used regardless of the VOIP modes set under system settings (VOIP security profile requires the firewall policy to be in proxy-based inspection mode).
  
  

• When traffic does not match a policy that includes a VOIP security profile and VOIP mode is set to proxy-based.