Fortigate SIP ALG Disable steps 5.2 firmware and above

Discussion in '3CX Phone System - General' started by AverageAs, Feb 19, 2017.

Thread Status:
Not open for further replies.
  1. AverageAs

    Joined:
    Dec 6, 2016
    Messages:
    5
    Likes Received:
    7
    Hi All.

    We work a lot with Fortigate firewalls, thought I would share how to disable SIP ALG on firmware 5.2 and above. (Recently done this for a few sites, the steps are slightly different than what is on the 3cx website)

    The below will apply to firmware revision 5.2 and 5.4

    Step 1) Removing the session helper.

    Run the following commands:
    config system session-helper
    show

    Amongst the displayed settings will be one similar to the following example:
    edit 13
    set name sip
    set protocol 17
    set port 5060

    In this example the next commands would be:
    delete 13
    end


    Step 2) Change the default –voip –alg-mode.

    Run the following commands:
    config system settings
    set default-voip-alg-mode kernel-helper-based
    end

    (Version 5.2 and above for this part)
    config voip profile
    edit default
    config sip
    set status disable
    end
    end


    Step 3) Either clear sessions or reboot to make sure changes take effect

    a) To clear sessions

    Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.

    See the related article "Troubleshooting Tip : FortiGate Firewall session list information".

    Here is an example based on IP address as a filter.

    FG100E_000000000 # diagnose sys session
    sync List session sync.
    list List session.
    clear Clear the sessions defined by filter.
    stat Stat session.
    full-stat Fully stat session.
    exp-stat Expectation session statistics.
    ttl TTL session.
    filter List session with filters.
    help Session help.

    FG100E_000000000 # diagnose sys session filter
    vd Index of virtual domain. -1 matches all.
    sintf Source interface.
    dintf Destination interface.
    src Source IP address.
    nsrc NAT'd source ip address
    dst Destination IP address.
    proto Protocol number.
    sport Source port.
    nport NAT'd source port
    dport Destination port.
    policy Policy ID.
    expire expire
    duration duration
    proto-state Protocol state.
    session-state1 Session state1.
    session-state2 Session state2.
    clear Clear session filter.
    negate Inverse filter.

    FG100E_000000000 # diagnose sys session filter src
    <xxx.xxx.xxx.xxx> Source IP (from).

    FG100E_000000000 # diagnose sys session filter src 192.168.11.15

    FG100E_000000000 # diagnose sys session list

    session info: proto=6 proto_state=01 duration=2 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
    state=local may_dirty
    statistic(bytes/packets/allow_err): org=3964/9/1 reply=3739/8/1 tuples=2
    tx speed(Bps/kbps): 1972/15 rx speed(Bps/kbps): 1860/14
    orgin->sink: org pre->in, reply out->post dev=3->28/28->3 gwy=192.168.11.5/0.0.0.0
    hook=pre dir=org act=noop 192.168.11.15:59274->192.168.11.5:443(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.11.5:443->192.168.11.15:59274(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=0
    serial=000002ce tos=ff/ff app_list=0 app=0 url_cat=0
    dd_type=0 dd_mode=0
    npu_state=00000000
    no_ofld_reason: local
    total session 1

    FG100E_000000000 # diagnose sys session clear

    FG100E_000000000 # diagnose sys session list
    total session 0

    FG100E_000000000 # diagnose sys session filter clear (Clears the filter for the sessions)

    FG100E_000000000 #

    The above example will clear the sessions based on the filter.


    If you had a filter in place make sure to clear the filter first.
    FG100E_000000000 # diagnose sys session filter clear

    If you wish to clear all active sessions on a fortigate without a filter, T
    he below command will reset all sessions, I have tested and confirmed it will.
    FG100E_000000000 # diagnose system session clear


    b) Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:
    execute reboot

    Sources for this are
    http://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
    http://kb.fortinet.com/kb/documentLink.do?externalID=FD33271
    https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/

     
    #1 AverageAs, Feb 19, 2017
    Last edited: Jun 21, 2017
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    6,016
    Likes Received:
    421
    Thank you for sharing
     
  3. blinton

    Joined:
    Dec 12, 2014
    Messages:
    2
    Likes Received:
    1
    You have a few errors. In step 2) you have
    set default-voip-alg-mode kernel-helper based

    This should be set default-voip-alg-mode kernel-helper-based
    You also have set status enable/disable and I think what you want is set status disable

    In Step 3) the command diagnose system session clear doesn't work
     
    CentrexJ likes this.
  4. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    Hey guys,

    Would you like to work with me in a comprehensive guide for fortigate as we have them for other vendors?

    Fortigate is the number one firewall which due to sip alg causes many users issues with there setup. Not saying that it is the firewalls fault or the implementation is wrong but it is very hard to stop the alg in the device.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    432
    Likes Received:
    67
    I can confirm following the instructions above on works and 3cx firewall checker passes nicely. An official document would be greatly appreciated.

    The main thing missing from the 3CX documentation is the line: set default-voip-alg-mode kernel-helper-based without that line i get a full cone nat failure on 5060.

    Fortinet 30E with 5.4.4 firmware 3CX v15.5 Windows.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,216
    Likes Received:
    88
    We had reached out to Fortigate in the past to do an official IOT and guide but all attempts ended in no communication... So we must build it from the community.

    I have added into the main guide we have, hope it helps others!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    CentrexJ likes this.
  7. AverageAs

    Joined:
    Dec 6, 2016
    Messages:
    5
    Likes Received:
    7
    Ta, have updated the early errors will confirm the clear command on the firewall I am working on at the moment.
     
Thread Status:
Not open for further replies.