Firewalls
Disabling SIP ALG on a Fortigate Firewall
The VoIP Help Page Team·2 min read·Last updated: March 14, 2026
This article provides instructions on how to disable SIP ALG (Application Layer Gateway) on a Fortigate Firewall, which is often necessary for proper VoIP functionality.
Scope:
The following article will show you how to disable the SIP ALG setting on a Fortigate Firewall.
Requirements:
CLI access to the Fortigate Firewall
Disabling SIP ALG
- 1Open the CLI interface for your Fortigate Firewall.
- 2Before making any changes, be sure to back up your configuration.
- 3In the CLI, enter the following commands:
- 1Use the following commands for a device on FortiOS starting at 6.2.2:
config system settings set sip-expectation disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end - 2For devices below FortiOS version 6.2.2, use the following commands:
config system settings set sip-helper disable set sip-nat-trace disable set default-voip-alg-mode kernel-helper-based end - 3If you encounter an error while entering
set default-voip-alg-mode kernel-helper-based, go ahead and ignore it. - 4The rest of the configuration will be the same for all FortiOS versions.
- 5Run the following commands:
Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on software version and model.config system session-helper show
Alternatively, use the entry you found in the previous step.delete 12end
- 1
- 4Enter the following commands in the CLI to disable RTP processing:
config voip profile edit default config sip set rtp disable end end - 5Once done, go ahead and reboot the device. Fortigate firewalls do not typically require a reboot when you change configuration, but in this case, a reboot is needed to activate the session helper changes.
- 6Lastly, reboot all of your SIP Devices/Phones.
Related Articles
Was this article helpful?