FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article shows some useful commands for troubleshooting SIP traffic.

Several commands are used to troubleshoot this issue, depending on the mode used by firewall (sip session-helper or SIP-ALG).

Generally, troubleshooting voip issues is done in few steps:
- Getting a simple network diagram with addresses clearly indicated for SIP server, Audio server, FortiGate interfaces (NAT if used), client IP, etc.
- Checking what kind of SIP inspection is used/configured on the FortiGate / in the policies (backup of configuration, specifying the VDOM/ policy ID#)
- Capturing and analyzing the traffic between host and SIP server over FortiGate (traffic capture for destination server IP, or for port 5060)
- Isolating the issue to FortiGate by disabling SIP inspection (or specifying how FortiGate is expected to open the audio ports for calls)
- Collecting the sip debug if the problem is not identified or not clearly fixable

SIP debug can be enabled and collected as follows.
This is useful when the action taken be the firewall is clearly understood and configured, but still considered wrong.
Simultaneously, a packet capture is necessary (on another SSH connection):

# diagnose debug disable
# diagnose debug reset
# diagnose debug application sip -1
# diagnose debug enable

Diagnosing calls

Use following commands to display status information about the SIP sessions being processed by the SIP ALG.

# diagnose sys sip-proxy calls list
# diagnose sys sip-proxy stats       <----- This is the most useful as it shows what type of packets are blocked.
# diagnose sys sip-proxy stats clear <----- To clear the old statistics and make recent tests more obvious.
# diagnose sys sip status
# diagnose sys sip dialog list
# diagnose sys sip mapping list

There are 4 columns:

Received: packets of certain type that FortiGate received. These are packets seen as passing over the FortiGate (no action taken by FortiGate)
Blocked: packets that the FortiGate actively blocked. They can be either ‘request’ or ‘response’
Unknown form: The header may be familiar to FortiGate but the content may have certain extensions or field contents that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-unknown enable). Malformed headers are by default set to pass in the SIP section of the default voip profile
Long headers: Certain packets contain a lot of non-standard extensions than enhance the SIP call. But this data needs more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable)

UNKNOWN: Generally these are keep-alive packets (no relevant data).
If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in default voip profile (or particular voip profile used in policy).
ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable ).
BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable ).
CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable ).
INFO: (not usually a problem. If needed, SIP profile can be set block-info enable ).
INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually it is caused by mismatching fields.
MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable ).
NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable ).
OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable ).
PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, rate can be changed) .
REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable ).
REGISTER - if blocked counter is increasing, they may be fraudulent external attempts trying register to use your SIP server. However, if your phone can’t register, you should check the blocked column. When ‘received req’ increases, but ‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests (troubleshooting generally on SIP server).
SUBSCRIBE: (not usually a problem).
UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).
PING: (not usually a problem. Rarely used).
According to the output of '# diagnose sys sip-proxy stats', it is possible to make adjustments on the default voip profile,
or create a new profile to be used in policies. Common changes are highlighted:
# config voip profile
(profile) # edit default
(default) # config sip
# set ?
status                                  Enable/disable SIP.
rtp                                     Enable/disable create pinholes for RTP traffic to traverse firewall.
nat-port-range                          RTP NAT port range.
open-register-pinhole                   Enable/disable open pinhole for REGISTER Contact port.
open-contact-pinhole                    Enable/disable open pinhole for non-REGISTER Contact port.
open-via-pinhole                        Enable/disable open pinhole for Via port.
open-record-route-pinhole               Enable/disable open pinhole for Record-Route port.
Usually, user wants to open these pinholes.
Keeping them closed may prevent SIP from functioning properly through the FortiGate.
It can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session).
strict-register                         Enable/disable only allow the registrar to connect.
register-rate                           REGISTER request rate limit (per second, per policy).
invite-rate                             INVITE request rate limit (per second, per policy).
max-dialogs                             Maximum number of concurrent calls/dialogs (per policy).
max-line-length                         Maximum SIP header line length (78-4096).
block-long-lines                        Enable/disable block requests with headers exceeding max-line-length.
block-unknown                           Block unrecognized SIP requests (enabled by default).
call-keepalive                          Continue tracking calls with no RTP for this many minutes.
block-ack                               Enable/disable block ACK requests.
block-bye                               Enable/disable block BYE requests.
block-cancel                            Enable/disable block CANCEL requests.
block-info                              Enable/disable block INFO requests.
block-invite                            Enable/disable block INVITE requests.
block-message                           Enable/disable block MESSAGE requests.
block-notify                            Enable/disable block NOTIFY requests.
block-options                           Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block-prack                             Enable/disable block prack requests.
block-publish                           Enable/disable block PUBLISH requests.
block-refer                             Enable/disable block REFER requests.
block-register                          Enable/disable block REGISTER requests.
block-subscribe                         Enable/disable block SUBSCRIBE requests.
block-update                            Enable/disable block UPDATE requests.
register-contact-trace                  Enable/disable trace original IP/port within the contact header of REGISTER requests.
rfc2543-branch                          Enable/disable support via branch compliant with RFC 2543.
log-violations                          Enable/disable logging of SIP violations.
log-call-summary                        Enable/disable logging of SIP call summary.
nat-trace                               Enable/disable preservation of original IP in SDP i line.
subscribe-rate                          SUBSCRIBE request rate limit (per second, per policy).
message-rate                            MESSAGE request rate limit (per second, per policy).
notify-rate                             NOTIFY request rate limit (per second, per policy).
refer-rate                              REFER request rate limit (per second, per policy).
update-rate                             UPDATE request rate limit (per second, per policy).
options-rate                            OPTIONS request rate limit (per second, per policy).
ack-rate                                ACK request rate limit (per second, per policy).
prack-rate                              PRACK request rate limit (per second, per policy).
info-rate                               INFO request rate limit (per second, per policy).
publish-rate                            PUBLISH request rate limit (per second, per policy).
bye-rate                                BYE request rate limit (per second, per policy).
cancel-rate                             CANCEL request rate limit (per second, per policy).
preserve-override                       Override i line to preserve original IPS (default: append).
no-sdp-fixup                            Enable/disable no SDP fix-up.
contact-fixup                           Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
max-idle-dialogs                        Maximum number established but idle dialogs to retain (per policy).
block-geo-red-options                   Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
hosted-nat-traversal                    Hosted NAT Traversal (HNT).
hnt-restrict-source-ip                  Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
max-body-length                         Maximum SIP message body length (0 meaning no limit).
unknown-header                          Action for unknown SIP header.
malformed-request-line                  Action for malformed request line.
malformed-header-via                    Action for malformed VIA header.
malformed-header-from                   Action for malformed From header.
malformed-header-to                     Action for malformed To header.
malformed-header-call-id                Action for malformed Call-ID header.
malformed-header-cseq                   Action for malformed CSeq header.
malformed-header-rack                   Action for malformed RAck header.
malformed-header-rseq                   Action for malformed RSeq header.
malformed-header-contact                Action for malformed Contact header.
malformed-header-record-route           Action for malformed Record-Route header.
malformed-header-route                  Action for malformed Route header.
malformed-header-expires                Action for malformed Expires header.
malformed-header-content-type           Action for malformed Content-Type header.
malformed-header-content-length         Action for malformed Content-Length header.
malformed-header-max-forwards           Action for malformed Max-Forwards header.
malformed-header-allow                  Action for malformed Allow header.
malformed-header-p-asserted-identity    Action for malformed P-Asserted-Identity header.
malformed-header-sdp-v                  Action for malformed SDP v line.
malformed-header-sdp-o                  Action for malformed SDP o line.
malformed-header-sdp-s                  Action for malformed SDP s line.
malformed-header-sdp-i                  Action for malformed SDP i line.
malformed-header-sdp-c                  Action for malformed SDP c line.
malformed-header-sdp-b                  Action for malformed SDP b line.
malformed-header-sdp-z                  Action for malformed SDP z line.
malformed-header-sdp-k                  Action for malformed SDP k line.
malformed-header-sdp-a                  Action for malformed SDP a line.
malformed-header-sdp-t                  Action for malformed SDP t line.
malformed-header-sdp-r                  Action for malformed SDP r line.
malformed-header-sdp-m                  Action for malformed SDP m line.
provisional-invite-expiry-time          Expiry time for provisional INVITE (10 - 3600 sec).
ips-rtp                                 Enable/disable allow IPS on RTP.
ssl-mode                                SSL/TLS mode for encryption & decryption of traffic.
Troubleshooting SIP-helper is not as easy, as we can only check whether the session expectation is created correctly.
Also, with SIP session-helper there are not many changes that can be operated for special topologies.
Since SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.
# diagnose sys sip stat <----- Can be used to check if the sip-helper is used.
Related links.


Related Articles

Technical Tip: VOIP calls (using SIP)

Technical Tip: Disabling VoIP Inspection

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: How to use the SIP ALG to prevent unwanted calls

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2