Removing ALG from Fortinet (Fortigate) Firewalls

Removing ALG from Fortinet (Fortigate) Firewalls

  • Open the CLI interface for your Fortigate Firewall

    • Before making any changes be sure to backup your configuration

  • In the CLI enter the following commands 

    • Use the following commands for a device on FortiOS starting at 6.2.2

    • config system settings

    • set sip-expectation disable

    • set sip-nat-trace disable

    • set default-voip-alg-mode kernel-helper-based

    • end

  • For devices below FortiOS version 6.2.2 use the following commands

    • config system settings

    • set sip-helper disable

    • set sip-nat-trace disable

    • set default-voip-alg-mode kernel-helper-based

    • end

  • If you encounter and error while entering set default-voip-alg-mode kernel-helper-based go ahead and ignore it

  • The rest of the configuration will be the same for all FortiOS versions

  • Run the following commands

    • config system session-helper

    • show 

      • Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on software version and model

    • delete 12

      •  Alternatively use the entry you found in the previous step

    • end

  • Enter the following commands in the CLI to disable RTP processing

    • config voip profile

    • edit default

    • config sip

    • set rtp disable

    • end

    • end

    • diagnose sys session filter clear

  • Once done go ahead and reboot the device, Fortigate firewalls do not require a reboot when you change configuration but in this case, we will need the reboot to activate the session helper changes

  • Lastly, reboot all of your SIP Devices/Phones



    • Related Articles

    • Factory Resetting Common SIP Phones

      Yealink T2, T3, T4, T5 (Except Android Phones), CP920 Press the “OK” button for 5 seconds. Depending on the specific configuration, the device may ask for the admin password. If you do not know it, please contact your account rep or ...
    • Communication Encryption at PressONE

      Voice Communication Security PressONE takes communication security seriously, implementing robust encryption measures to protect our customers' voice communications: SIP Signaling Encryption We encrypt SIP signaling using Transport Layer Security ...
    • Pairing Yealink DECT Cordless with Base Antenna

      You can find more specific instructions to guide you here: Pairing Yealink Cordless with Base and here: https://support.yealink.com/en/portal/knowledge/show?id=6458b6dab1fa936c57b5674b Instructions Long press the button on the base station till the ...
    • Getting Jabra Devices to Work with PressONE UC's Web Phone via WebHID

      PressONE UC, powered by NetSapiens, now supports WebHID integration for Jabra headsets. This allows users to control basic call functions directly from their Jabra USB headset—such as answering, ending, muting, and unmuting calls—without using the ...