Because of the latest critical vuln, I needed to upgrade all 50 of my 80/90E fortigates to 7.0.9 from 6.4.x ( I could have gone 6.4.11 but decided it was a good time to make the leap to 7.0.x). Now, I was hasty and didn't fully test, I admit it so don't worry I yelled at myself. Here's what I ran into....these FGT's host Mediatrix FXS devices C700. Basically its a device that will SIP register a certain number of lines to our PBX and then hand that voip signal off via analog. We use a static VIP on the FGT to do a translation and all of the mediatrix are hard-coded with the same local IP; and the FGT translates it outbound (this design was in place before I took over the network, so no comment here).
Basically, I went from 6.4.x (we had many flavors); up to 7.0.9 using Fortimanager to use the approved upgrade path on all. and as soon as I did that it broke SIP registeration on every single one, because the PBX started seeing the internal IP in the register packet instead of the external. I did pcaps on the internal and external interface both before and after, and confirmed that despite the config not changing at all (which support validated), the fgt is handling the packets differently.
6.4.x - packet comes in with SIP contact IP as the internal, and leaves the fgt with the external IP
7.0.9 - packet comes in and leaves with only the internal IP referenced in the packet.
Right now I have everything downgraded to 6.4.11 so the vuln is remediated, but would love to figure this out so I can move to 7.0.9+ at some point