Technical Note: Disabling VoIP Inspection
Products
FortiGate
Description
This article explains how to disable use of SIP or SCCP proxy/ALG or session helper (legacy ALG).  In this mode, FortiGate will be acting as a basic firewall.

In most cases, Fortinet recommends the use of SIP/SCCP proxy/ALG.

Use of an Application Layer Gateway (ALG), allows for

       1) Modification of IP addresses in the application payload when NAT is used.
       2) Dynamic opening of data ports ("pinholes") as required to allow audio traffic.  Otherwise, firewall policies need to statically open a wide range of ports.
       3) Inspection and logging of VoIP traffic (using ALG/Proxy instead of session-helper).

For more details on the benefits of the SIP ALG in FortiOS, as well as information on how to troubleshoot SIP issues, please consult the VoIP Solutions of the FortiOS handbook.  This is available in the Fortinet Document Library.

Reasons to disable VoIP inspection might include:

       1) Troubleshooting (to isolate the problem).
       2) As a workaround, either to address incorrect FortiGate SIP ALG behavior or to allow non-standard SIP handling in the overall VoIP deployment.
Solution
Since FortiOS 5.2, the FortiOS default is for all SIP traffic to be handled by the FortiOS proxy/ALG.
(See the related article "SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2")

In FortiOS 5.0, if VoIP profile is not applied, the SIP session helper will be applied.

Preparation:

In preparation for removing SIP proxy & session helper functionality, two steps are required.

1) Modify SIP server (if NAT is used)

If the SIP traffic is NAT'd when passing through the FortiGate, the SIP server must be configured to use its public IP address in the application header. All other VoIP equipment must also refer to the SIP server by its public IP.

2) Open up firewall policies on the FortiGate

Firewall policies must now explicitly allow all UDP ports to be opened for the audio traffic (and not only the SIP or SCCP control ports).

Below are the steps involved in disabling the SIP session helper :

1) Removing the session helper.

Run the show command under system session-helper:

#config system session-helper
      show
Among the displayed settings will be one similar to the following example:
 #edit 13
       set name sip
       set protocol 17
       set port 5060
     next
Here entry 13 is the one which points to SIP traffic which uses UDP port 5060 for signaling.
In this example, the next commands to remove the corresponding entry would be:

#delete 13
     end
Note: It is not necessary for the SIP entry to be 13, so crosscheck which entry has the sip helper settings.

2) Change the default –voip –alg-mode.

Run the following commands:     

#config system settings
          set default-voip-alg-mode kernel-helper-based

          set sip-helper disable
          set sip-nat-trace disable
        end
 By default, the default-voip-alg-mode is set to proxy-based.

IMPORTANT Note: Since version 6.2.2. the CLI command is different:
#config system settings
          set default-voip-alg-mode kernel-helper-based
          set sip-expectation disable
          set sip-nat-trace disable
        end
3) Either clear sessions or reboot to make sure changes take effect

a) To clear sessions

Ideally, sessions related to VoIP traffic are deleted. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic.  Knowing the port-range used for the audio traffic, sessions clear can be selected by first applying a filter as follows:

#diagnose system session filter ...
Note : See the related article "Troubleshooting Tip : FortiGate Firewall session list information".

The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic is as follows:

#diagnose system session clear
b) Alternatively, reboot the FortiGate using either GUI or CLI.  The CLI command is:
#execute reboot 
Special Note: Disabling SIP session helper with VDOMs enabled.

If VDOMs are enabled, disable the session helper from global as the session helper setting is a global parameter and is not available under any particular VDOM.

FGT# config global
FGT(global)# config system session-helper
Since this is a global setting, removing or disabling the session-helper globally affects all the VDOMs.

There might be scenarios where in a particular VDOM, lets say, VDOM-A might have to use the session-helper settings for the SIP traffic processing and VDOM-B needs to have the session-helper disabled so that SIP traffic passing through VDOM-B is not inspected by the SIP session-helper.  

In such cases the below settings can be used:

FGT# config firewall service custom
FGT(custom)#edit Helper-disable
FGT(Helper-disable)# set protocol IP
FGT(Helper-disable)# set helper disable
FGT(Helper-disable)# end

Once the above custom service with the helper set to disabled has been created, the same has to be called in the corresponding policy which allows the SIP traffic.

This will make sure that the firewall does not process the SIP traffic provided the traffic hits the corresponding policy where the custom service named Helper-disable is applied.
Related Articles
Troubleshooting Tip: FortiGate session table information
Technical Tip: Enabling the SIP Application Layer Gateway (ALG) on a FortiGate unit
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
Technical Note: Enhance SIP security with SIP ALG by opening smaller pinholes
FortiOS Handbook: VoIP Solutions: SIP for FortiOS 5.2.1
Last Modified Date: 10-16-2019 Document ID: FD36405