Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Voip issues 7.0.9 Upgrade

Because of the latest critical vuln, I needed to upgrade all 50 of my 80/90E fortigates to 7.0.9 from 6.4.x ( I could have gone 6.4.11 but decided it was a good time to make the leap to 7.0.x). Now, I was hasty and didn't fully test, I admit it so don't worry I yelled at myself. Here's what I ran into....these FGT's host Mediatrix FXS devices C700. Basically its a device that will SIP register a certain number of lines to our PBX and then hand that voip signal off via analog. We use a static VIP on the FGT to do a translation and all of the mediatrix are hard-coded with the same local IP; and the FGT translates it outbound (this design was in place before I took over the network, so no comment here).

Basically, I went from 6.4.x (we had many flavors); up to 7.0.9 using Fortimanager to use the approved upgrade path on all. and as soon as I did that it broke SIP registeration on every single one, because the PBX started seeing the internal IP in the register packet instead of the external. I did pcaps on the internal and external interface both before and after, and confirmed that despite the config not changing at all (which support validated), the fgt is handling the packets differently.

6.4.x - packet comes in with SIP contact IP as the internal, and leaves the fgt with the external IP

7.0.9 - packet comes in and leaves with only the internal IP referenced in the packet.


Right now I have everything downgraded to 6.4.11 so the vuln is remediated, but would love to figure this out so I can move to 7.0.9+ at some point

It's hard to say exactly without seeing your full topology—sorry it's still not 100% clear the VOIP traffic paths and where and how and when the NAT is happening.


Chances are though you need to look at the SIP ALG config. Not sure if this is part of your issue but some changes to FW policies between 6.4 and 7.0:


Review these VOIP SIP use-cases and see which one matches your deployment and configure accordingly. Chances are you want to look at HNT. But I need more info to confirm:


Hi Team,



Can you share you this output:

config sys settings
show full | grep voip


config sys session-helper
show full 



and in the VOIP capture on which port it is connecting.

Please keep us posted

New Contributor is an online platform that allows users to manage their prepaid gift card. It offers a variety of features that make it easy for users to manage their Visa Gift Card, including checking the balance, Transaction history, and other Online Account.
You also can view their recent transactions, check for any fraudulent activities, and provide cash assistance. With, Credit cardholders can add and manage multiple credit cards to their account for easy instant transactions and win rewards in-return. is an online website for Target shoppers to check your their visa gift card balance online on the official website by logging on to ““.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors