Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmanak
Staff & Editor
Staff & Editor

Created on ‎10-06-2025 11:13 AM

Article Id 414078

Troubleshooting Tip: FortiGate changing SDP media IP & port randomly when SIP-ALG is enabled

Description This article describe an issue where FortiGate firewall changes SDP Media IP & port randomly.
Scope FortiGate 7.2.x, 7.4.x & 7.6.x.
Solution

It has been observed that when SIP-ALG is enabled and SIP traffic passes through FortiGate firewall, the SDP media IP & port information is altered if the destination port is other than 5060.

 

Ingress SDP packet:

pmanak_0-1759770638533.png

 

Egress SDP packet:

 

pmanak_1-1759770638535.png

 

This happens because SIP-ALG only listens on destination port 5060. For SIP traffic on ports other than 5060, SIP ALG does not handle it, even if a VOIP-profile is configured for that policy.

 

When 'set helper sip' is configured under the service, SIP traffic is also not handled by SIP-ALG but by SIP kernel helper, which is no longer supported.

 

edit "SIP_5060-5100"

    set helper sip

    set udp-portrange 5060-5100

next

Currently, FortiGate firewall SIP-ALG supports two ports at maximum. This can be configured with the following command:

 

config system settings

    set sip-udp-port 5060 5070  

    set gui-voip-profile enable

end
105
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.