We are having sporadic, highly random processes where individual phones will fail to register. I have created a policy allowing traffic on these ports (all services for now) out of our internal LAN (currently, the phones are on the primary LAN with no VLANs). I have also made the following changes:
Ensured DNS filter and IPS was disabled (this seemed to cause issues)
Deleted the SIP Helper
Set SIP-ALG to kernel--helper-based instead of proxy-based
Set sip-helper disable
Set sip-nat-trace disable
Disabled RTP in the VoIP profile
This has lessened the issue, but has not resolved the issue. Oddly enough, resetting one of the Yealink phones to factory will fix its registration issues for a time, but they can come back. I contacted Fortinet support, and they demonstrated the traffic appears to get through, but I have not had this issue until we switched from an Untangle U150 firewal to the Fortigate, and I don't know where else to point.
I have several packet captures of phones booting up that I could supply on request. If anyone could provide suggestions or assist, I'd greatly appreciate it.
The usual suspect for this kind of symptom is SIP session helper or ALG. But you already disabled both. Then I would try capturing packets at the outbound interface when a phone goes off-line. The phones and the server must be exchanging packets periodically to confirm they're still there, or changed IP or moved the location. Something must go wrong when they get unregistered.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.