FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Description
This article describes one possible quick-fix for SIP calls after a FortiGate is deployed in the network, when voip calls are not working

General considerations.

When the FortiGate is replacing a router with no VOIP inspection, the following must be considered.

Registration.

To allow a SIP call to establish, a phone (or softphone) must register to a SIP server – this is done on port 5060.
SIP communication, generally on port 5060, is normally allowed (as outgoing traffic).
There are cases when the SIP server in on the internal network, or the registration is initiated by the SIP server (ie. Following a https request).
In this case, the port 5060 must also be opened from outside through a VIP.

Calls.

For a phone call to establish, an INVITE is sent to the SIP server over port 5060. In this packet, in the SDP part, the audio port is negotiated.
The FortiGate must have visibility of this packet, check this port, and generate a 'blank' session for it (otherwise, if no session is created, the traffic is dropped upon arrival).
These session are called -expectations.

Visibility > one of two mechanisms MUST be enabled: sip-helper (default until FortiOS 5.4) or SIP-ALG (default in newer versions).
With no visibility = FortiGate will not create a session-expectation and will not allow the SIP traffic.

Solution
In certain cases, as certain SIP-server vendors recommend, it is required to disable SIP inspection completely on the FortiGate.

Make sure to understand the requirements of the SIP vendor before doing this!

Disabling BOTH SIP mechanisms for opening only the required port for audio, means that the ports MUST be opened manually through a VIP.

It is necessary  to create a VIP that accommodates the range of UDP ports that is specified by your SIP provider for RTP/Audio.
Failing to do so, will likely result in one-way audio (outgoing audio is ok, cannot hear remote side).

Also need to make sure that the SIP-phone is configured to use the same accepted range of audio ports.
Failing to do so, will likely result in no audio, or one-way audio (incoming audio is ok, destination cannot hear the user).

Related links.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/858887/voip-solutions
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/fortigate-sip-603.pdf
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=fortigate-voip-sip-521pdf

Related Articles

Technical Tip: Disabling VoIP Inspection

Techincal Tip: SIP useful Commands

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: How to use the SIP ALG to prevent unwanted calls

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2

Contributors