Not necessarily limited to Fortinet….

An ALG is an application layer gateway and these helpers are used in some cases where the protocol embeds data about the IP endpoints in the protocol itself. e.g. SIP contains the endpoint IP address in the protocol. This is fine unless the TCP headers are changed along the way. i.e with NAT. This is why traditionally SIP didn’t work well with NAT.
What an ALG helper does is apply the NAT rules changes to the data in the protocol itself.
This is not always a good thing now.

So even after making sure you have rules and policies to allow the SIP traffic in/out, you may wish to disable the ALG sip helper.

How to disable per VDOM

FGT-FW1# c v

FGT-FW1(vdom) # edit TEST
current vf=TEST:5

FGT-FW1(TEST) # config voip profile

FGT-FW1(profile) # edit default

FGT-FW1(default) # config sip

FGT-FW1(sip) # show

FGT-FW1(sip) # set status disable

FGT-FW1(sip) # end

FGT-FW1(default) # next

FGT-FW1(profile) # show
config voip profile
    edit "default"
        set comment "Default VoIP profile."
        config sip
            set status disable

FGT-FW1(profile) # end

FGT-FW1(TEST) # config system settings

FGT-FW1(settings) # set default-voip-alg-mode kernel-helper-based

FGT-FW1(settings) # set sip-nat-trace disable

FGT-FW1(settings) # set sip-helper disable

FGT-FW1(settings) # end


Basically 3 things in the config system settings area, and one in the default voip profile

Fortinet ALG and SIP
Tagged on:         

One thought on “Fortinet ALG and SIP

  • 2024-02-13 at 1:42 pm

    With newer FortiOS, “set sip-helper disable” is gone

    Instead delete the session helper

    config system session-helper
    (session-helper) # show | grep -f sip
    config system session-helper
    edit 13
    set name sip <—
    set protocol 17
    set port 5060

    (session-helper) # delete 13

    NCHCRTR02 (session-helper) # end


Leave a Reply

Your email address will not be published. Required fields are marked *