Not necessarily limited to Fortinet….
An ALG is an application layer gateway and these helpers are used in some cases where the protocol embeds data about the IP endpoints in the protocol itself. e.g. SIP contains the endpoint IP address in the protocol. This is fine unless the TCP headers are changed along the way. i.e with NAT. This is why traditionally SIP didn’t work well with NAT.
What an ALG helper does is apply the NAT rules changes to the data in the protocol itself.
This is not always a good thing now.
So even after making sure you have rules and policies to allow the SIP traffic in/out, you may wish to disable the ALG sip helper.
How to disable per VDOM
FGT-FW1# c v FGT-FW1(vdom) # edit TEST current vf=TEST:5 FGT-FW1(TEST) # config voip profile FGT-FW1(profile) # edit default FGT-FW1(default) # config sip FGT-FW1(sip) # show FGT-FW1(sip) # set status disable FGT-FW1(sip) # end FGT-FW1(default) # next FGT-FW1(profile) # show config voip profile edit "default" set comment "Default VoIP profile." config sip set status disable end next end FGT-FW1(profile) # end FGT-FW1(TEST) # config system settings FGT-FW1(settings) # set default-voip-alg-mode kernel-helper-based FGT-FW1(settings) # set sip-nat-trace disable FGT-FW1(settings) # set sip-helper disable FGT-FW1(settings) # end FGT-FW1(TEST) #
Basically 3 things in the config system settings area, and one in the default voip profile