FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preznik_FTNT
Staff
Staff

Description
In FortiOS 5.2, all SIP and SCCP (Skinny) traffic is now processed by the VoIP ALG by default*.  

*If starting from a factory default configuration in FortiOS 5.2.  If upgrading from FortiOS 5.0, you may find that the setting is kernel-helper-based for the purposes of backward compatibility.

This is important for cases in which a VoIP profile has not explicitly been applied to a firewall policy. 

You can change the default setting using the following command:

config system settings
set default-voip-alg-mode {proxy-based | kernel-helper-based}
end

The default is proxy-based, which means the VoIP ALG is used. If set to kernel-helper-based, the SIP session helper is used for SIP traffic, and SCCP traffic is not processed.
 If a SIP or SCCP session is accepted by a firewall policy with a VoIP profile, the session is processed using the VoIP ALG even if default-voip-alg-mode is set to kernel-helper-based.

If a SIP or SCCP session is accepted by a firewall policy that does not include a VoIP profile:

    If default-voip-alg-mode is set to proxy-based, SIP and SCCP traffic is processed by the VoIP ALG/Proxy using the default VoIP profile.
    If default-voip-alg-mode is set to kernel-helper-based,  SCCP traffic is not processed, and SIP traffic is processed by the SIP session helper. If the SIP session help has been removed, then no SIP processing takes place.

Monitored ports for SIP and SCCP traffic can be configured using following CLI commands:

config system settings
set sip-ssl-port <port_number>
set sip-tcp-port <port1_int> [<port2_int>]>
set sip-udp-port <port_number>
set sccp-port <port_number>
end