Home / Support / Knowledge Base / Grandstream and Fortinet VoIP Troubleshooting

Grandstream and Fortinet VoIP Troubleshooting

Resolve common VoIP issues when using Grandstream phones with Fortinet firewalls.

Troubleshooting

Common Issues

When using Grandstream VoIP phones behind Fortinet (FortiGate) firewalls, you may encounter several common issues:

Root Causes

These issues are typically caused by one or more of the following:

SIP ALG Interference

SIP ALG (Application Layer Gateway) is a feature designed to help SIP traffic traverse NAT, but it often causes more problems than it solves. The ALG modifies SIP headers in ways that can break VoIP functionality, especially with modern phones that handle NAT traversal on their own.

Firewall Dropping RTP Packets

RTP (Real-time Transport Protocol) carries the actual audio of VoIP calls. If the firewall isn't configured to allow RTP traffic on the correct ports, audio will not pass through.

NAT Issues

Improper NAT handling can cause the firewall to send RTP packets to the wrong destination, resulting in one-way or no audio.

IPS/Security Profile Blocking

Intrusion Prevention System (IPS) and other security profiles may flag legitimate VoIP traffic as suspicious and block it.

Solutions

Fix 1: Disable SIP ALG

This is the most common fix. SIP ALG should be disabled on Fortinet firewalls when using modern VoIP phones.

Via GUI (FortiOS 6.x/7.x)

  1. Log in to the FortiGate web interface
  2. Navigate to System > Settings
  3. Scroll down to find SIP ALG or SIP Helper
  4. Uncheck or disable the SIP ALG option
  5. Click Apply

Via CLI

Connect to the FortiGate CLI and run the following commands:

config system settings
  set sip-helper disable
  set sip-nat-trace disable
  set sip-tcp-port 0
  set sip-udp-port 0
end

Additionally, disable the SIP session helper:

config system session-helper
  delete 13
end
Note: The session helper index (13) may vary. Use show system session-helper to find the SIP entry and its index number.

Fix 2: Create Firewall Policies for VoIP Traffic

Ensure your firewall allows both SIP signaling and RTP media traffic.

Required Ports

Creating Custom Services

In the FortiGate GUI:

  1. Navigate to Policy & Objects > Services
  2. Create a new service called SIP-Custom with protocol UDP, port 5060
  3. Create a new service called RTP-Media with protocol UDP, ports 20000-27999

Creating Firewall Policy

  1. Navigate to Policy & Objects > Firewall Policy
  2. Create a new policy from your internal VoIP VLAN to WAN
  3. Include the SIP-Custom and RTP-Media services
  4. Enable the policy and place it appropriately in your policy order

Fix 3: Disable Security Profiles for VoIP Traffic

IPS, Application Control, and other security profiles can interfere with VoIP. For the VoIP firewall policy:

If you must use security profiles, create custom signatures that allow your VoIP provider's traffic.

Fix 4: Configure NAT Settings

If you're using NAT, ensure consistent NAT handling:

config firewall policy
  edit [policy-id]
    set nat enable
    set ippool enable
    set poolname [your-ip-pool]
  next
end

Debug Commands

Use these commands to troubleshoot VoIP issues on FortiGate:

Check Session Helper Status

show system session-helper

Monitor SIP Traffic

diagnose sniffer packet any 'port 5060' 4

Check RTP Sessions

diagnose sys session filter proto 17
diagnose sys session filter dport 20000-27999
diagnose sys session list

View Firewall Session Count

get system session status

Grandstream Phone Settings

In addition to firewall configuration, ensure your Grandstream phones are configured correctly:

Need more help?

Our support team is here to assist you with any questions.

Contact Support Back to Knowledge Base