Not necessarily limited to Fortinet….
An ALG is an application layer gateway and these helpers are used in some cases where the protocol embeds data about the IP endpoints in the protocol itself. e.g. SIP contains the endpoint IP address in the protocol. This is fine unless the TCP headers are changed along the way. i.e with NAT. This is why traditionally SIP didn’t work well with NAT.
What an ALG helper does is apply the NAT rules changes to the data in the protocol itself.
This is not always a good thing now.
So even after making sure you have rules and policies to allow the SIP traffic in/out, you may wish to disable the ALG sip helper.
How to disable per VDOM
FGT-FW1# c v
FGT-FW1(vdom) # edit TEST
current vf=TEST:5
FGT-FW1(TEST) # config voip profile
FGT-FW1(profile) # edit default
FGT-FW1(default) # config sip
FGT-FW1(sip) # show
FGT-FW1(sip) # set status disable
FGT-FW1(sip) # end
FGT-FW1(default) # next
FGT-FW1(profile) # show
config voip profile
edit "default"
set comment "Default VoIP profile."
config sip
set status disable
end
next
end
FGT-FW1(profile) # end
FGT-FW1(TEST) # config system settings
FGT-FW1(settings) # set default-voip-alg-mode kernel-helper-based
FGT-FW1(settings) # set sip-nat-trace disable
FGT-FW1(settings) # set sip-helper disable
FGT-FW1(settings) # end
FGT-FW1(TEST) #Basically 3 things in the config system settings area, and one in the default voip profile
With newer FortiOS, “set sip-helper disable” is gone
Instead delete the session helper
config system session-helper
(session-helper) # show | grep -f sip
config system session-helper
edit 13
set name sip <—
set protocol 17
set port 5060
next
end
(session-helper) # delete 13
NCHCRTR02 (session-helper) # end