SIP FORTIGATE TROUBLESHOOTING

Disable SIP ALG on FortiGate: Exact Steps

SIPNEX ·

Disabling SIP ALG on a FortiGate means turning off two separate mechanisms, both from the CLI: delete the SIP session helper under config system session-helper, then set default-voip-alg-mode kernel-helper-based and disable sip-expectation under config system settings. Miss either one and the firewall keeps rewriting your SIP traffic.

FortiGate is different from consumer gear here. Fortinet’s proxy-based SIP ALG is a deliberate, carrier-grade implementation, on by default, and Fortinet frames disabling it as a troubleshooting step. The practical rule: if your trunk provider already handles NAT traversal on its side, the firewall’s SIP rewriting is redundant — and redundant rewriting is where one-way audio and 30-second drops come from.

FortiGate has two SIP mechanisms, not one

This is the mistake that wastes hours: admins disable one mechanism, symptoms persist, and they conclude the ALG was not the problem. FortiGate can process SIP through the proxy-based ALG (the default) and through the kernel SIP session helper. Both can rewrite SIP. You need to deal with both.

To check the current mode first, run config system settings then show full and look at default-voip-alg-mode.

Step 1: delete the SIP session helper

config system session-helper
show
delete <entry-number>
end

Run show and find the entry with name sip, protocol 17, port 5060. The entry number varies by model and FortiOS version — often 12 or 13, but never assume; read your own show output and delete the number your unit reports.

Step 2: switch the ALG mode, then clear sessions

On FortiOS 6.2.2 and later:

config system settings
set default-voip-alg-mode kernel-helper-based
set sip-expectation disable
set sip-nat-trace disable
end

Pre-6.2.2 firmware uses set sip-helper disable in place of sip-expectation. Optionally, you can also stop RTP processing in the VoIP profile: config voip profileedit defaultconfig sipset rtp disableendend.

Do not stop here: these changes only affect new sessions, and existing SIP sessions keep their old handling. Clear them (diagnose sys session filter dport 5060, then diagnose sys session clear) or, cleanest, reboot the unit; Fortinet’s community guidance recommends a reboot to fully activate session-helper removal.

To verify the finished state: config system session-helpershow should no longer list a sip entry, and show full under system settings should report kernel-helper-based with sip-expectation disable. Then re-register your phones and place a test call through the exact path that was failing.

When disabling doesn’t fix the calls

If the symptoms outlive both mechanisms, stop toggling the firewall. Our pillar on SIP ALG and why providers say to disable it maps each symptom — one-way audio, the ~32-second drop, registration flapping — to its actual cause. Then audit the trunk itself with the SIP trunk configuration guide.

Frequently asked questions

Do the disable commands differ between FortiOS versions?

Yes. On FortiOS 6.2.2 and later, use set sip-expectation disable under config system settings; older firmware takes set sip-helper disable instead. The session-helper entry number also varies by model and version. If the CLI rejects a command from a guide, check your FortiOS version before concluding the ALG is already off.

What number is the SIP session helper on FortiGate?

It varies by model and FortiOS version — often entry 12 or 13, but there is no universal answer. Run show under config system session-helper and find the entry with name sip, protocol 17, port 5060 on your own unit. Deleting a hardcoded number from a guide risks removing the wrong helper.

Do I have to reboot a FortiGate after disabling SIP ALG?

The changes apply to new sessions only, so at minimum clear existing SIP sessions with diagnose sys session filter dport 5060 followed by diagnose sys session clear. Fortinet community guidance recommends a reboot as the cleanest way to fully activate session-helper removal, so schedule one if you can.


SIPNEX is an FCC-licensed carrier and our SIP trunks are designed to run behind enterprise firewalls without SIP inspection in the path. If your FortiGate site still fights you after these steps, bring us the capture — or start with our rates if the trunk itself is what you are re-evaluating.

SIPNEX

The carrier built by operators, for operators.

FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.