Home

How to Disable SIP Inspection on FortiGate

Fortinet suggests utilizing the SIP/SCCP proxy/ALG for optimal performance in various scenarios, despite being commonly referred to as SIP-ALG despite its ability to handle more than just SIP traffic. The outdated SIP-helper alternative in FortiGate offers a simplistic pinhole opening service.

Disabling SIP inspection on a FortiGate firewall involves several steps that can vary slightly depending on the version of FortiOS you are using. Below is a comprehensive guide to disabling SIP ALG (Application Layer Gateway) and SIP session-helper functionality, along with an explanation of the consequences of doing so.

Step-by-Step Instructions

  1. Access the CLI:

    • Begin by accessing the Command Line Interface (CLI) of your FortiGate device. Ensure you have administrative privileges.

  2. Backup Configuration:

    • Before making any changes, it is crucial to back up your current configuration to avoid any potential issues.

  3. Disable SIP ALG:

    • For devices running FortiOS 6.2.2 or later, enter the following commands: 
      config system settings set sip-expectation disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end
    • For devices running versions below 6.2.2, use these commands instead: 
      config system settings set sip-helper disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end

  4. Remove SIP Session Helper:

    • Check for the existing SIP session helper entry by executing: 
      config system session-helper show
    • Identify the entry for SIP (usually entry 12 but may vary). Delete it using: 
      delete end

  5. Disable RTP Processing:

    • To ensure that Real-Time Protocol (RTP) processing is disabled, run: 
      config voip profile edit default config sip set rtp disable end end

  6. Reboot the Device:

    • Although FortiGate does not typically require a reboot for configuration changes, in this case, rebooting is necessary to apply changes related to session helpers: 
       execute reboot

  7. Restart SIP Devices/Phones:

    • After rebooting the FortiGate device, restart all connected SIP devices or phones to ensure they recognize the new settings.

Consequences of Disabling SIP Inspection

Disabling SIP inspection can have significant implications for your VoIP setup:

  • Loss of NAT Traversal: Without SIP ALG and session helpers, NAT traversal may fail for some VoIP calls, leading to issues such as one-way audio or dropped calls.

  • Increased Complexity in Troubleshooting: If problems arise after disabling these features, troubleshooting becomes more complex as you will need to manually manage NAT rules and port forwarding for both signaling and media streams.

  • Potential Security Risks: Disabling inspection features may expose your network to security vulnerabilities if proper firewall rules are not implemented since traffic will no longer be inspected for malicious content.

  • Impact on Call Quality: In some cases, call quality may degrade if RTP sessions are not properly managed without the assistance of ALG features.

Conclusion

Disabling SIP inspection on a FortiGate firewall should be approached with caution and primarily used as a troubleshooting step rather than a permanent solution. Always ensure that you understand your network’s requirements and test configurations in a controlled environment before applying them in production.

Authoritative Sources Used in Answering This Question:

  • Fortinet Documentation
    Official documentation from Fortinet provides detailed instructions and best practices regarding configuring their firewalls.

  • Fortinet Knowledge Base
    The knowledge base contains articles addressing common issues and solutions related to VoIP configurations on FortiGate devices.

  • Technical Tips from Fortinet
    Technical tips offer insights into specific configurations and troubleshooting methods relevant to VoIP traffic management on FortiGate firewalls.