Hi all¡¡

In short, we have a Server for softphones in our DMZ and internal ToIP Servers. All traffic between servers passes trought a Fortigate. All traffic I'm going to talk about is SIP UDP Traffic.

There is some strange things I don't understand. There are differences if I capture traffic from firewall or from servers. I don't have a rule to allow that the internal server Initiates SIP connections to DMZ server.  Internal-->DMZ:5060 but I have a rule to allow 5060 traffic from DMZ server to Internal server DMZ-->Internal:5060.

1)If I capture SIP traffic from the ToIP servers (internal or external) it seems that it's the internal server that connects to the DMZ server 5060 port. The Invite packets are from Internal server to external server:5060

2)If I capture SIP traffic from the firewall (pcap) or I check a debug, it seems that it's the DMZ server that connects to the internal server 5060 port. The invite messages are send from the DMZ server to Internal server:5060.

3) If I check firewall logs, It's the DMZ server that connects to the 5060 UDP internal server. If I check inverse traffic nothing appears in the logs. As point three.

Im not sure if all these things happens cause I have  set default-voip-alg-mode kernel-helper-based. Why do I see traffic in reverse order at the firewall logs and captures? If internal server connect to DMZ server 5060, why this traffic works if I don't have a rule to allow it?

Thanks ¡¡