![]() Possible reasons to disable VoIP inspection include:ġ) Troubleshooting (to isolate a problem).Ģ) As a workaround, either to address incorrect FortiGate SIP ALG behavior or to allow non-standard SIP handling in the overall VoIP deployment. When in this mode, FortiGate acts as a basic firewall. This article explains how to disable the use of SIP or SCCP proxy/ALG and/or session-helper. This is available in the Fortinet Document Library. Otherwise, firewall policies must be used to statically open a wide range of ports for RTP/audio (through a VIP).ģ) Inspection and logging of VoIP traffic.įor more details on the benefits of the SIP ALG in FortiOS, as well as information on how to troubleshoot SIP issues, consult the VoIP Solutions of the FortiOS handbook. Otherwise, SIP-helper can open these ports with very basic Layer4 logic. ![]() Use of an Application Layer Gateway (ALG) allows for:ġ) Modification of IP addresses in the application payload when NAT is used.Ģ) Dynamic opening of data ports ('pinholes') as required to allow audio traffic. Re-enabling SIP-ALG will require a restart.ĭISABLING SIP-ALG IS NOT THE FIRST TROUBLESHOOTING ACTION TO TAKE! ![]() NOTE: disabling the VoIP inspection may influence the production systems. In some cases, other vendors recommend disabling the SIP inspection altogether on the FortiGate (carefully note the date and FortiGate model of the articles, which may be outdated). The alternative in FortiGate, SIP-helper, is obsolete and provides a very basic pinhole opening service. This article describes how to disable SIP-inspection on FortiGate and explains the consequences.įortinet recommends the use of SIP/SCCP proxy/ALG (called SIP-ALG even though it does not handle only SIP traffic) in most situations.
0 Comments
Leave a Reply. |