Not necessarily limited to Fortinet….

An ALG is an application layer gateway and these helpers are used in some cases where the protocol embeds data about the IP endpoints in the protocol itself. e.g. SIP contains the endpoint IP address in the protocol. This is fine unless the TCP headers are changed along the way. i.e with NAT. This is why traditionally SIP didn’t work well with NAT.
What an ALG helper does is apply the NAT rules changes to the data in the protocol itself.
This is not always a good thing now.

So even after making sure you have rules and policies to allow the SIP traffic in/out, you may wish to disable the ALG sip helper.

How to disable per VDOM

FGT-FW1# c v

FGT-FW1(vdom) # edit TEST
current vf=TEST:5

FGT-FW1(TEST) # config voip profile

FGT-FW1(profile) # edit default

FGT-FW1(default) # config sip

FGT-FW1(sip) # show

FGT-FW1(sip) # set status disable

FGT-FW1(sip) # end

FGT-FW1(default) # next

FGT-FW1(profile) # show
config voip profile
    edit "default"
        set comment "Default VoIP profile."
        config sip
            set status disable
        end
    next
    
end

FGT-FW1(profile) # end

FGT-FW1(TEST) # config system settings

FGT-FW1(settings) # set default-voip-alg-mode kernel-helper-based

FGT-FW1(settings) # set sip-nat-trace disable

FGT-FW1(settings) # set sip-helper disable

FGT-FW1(settings) # end

FGT-FW1(TEST) #

Basically 3 things in the config system settings area, and one in the default voip profile

Fortinet ALG and SIP
Tagged on:         

Leave a Reply

Your email address will not be published.