Disable SIP ALG on Fortinet FortiGate.

CLI — disable the SIP session helper

config system settings
    set sip-helper disable
    set sip-nat-trace disable
end

config system session-helper
    show
    # Find the entry where name = sip; note its id (often 13)
    delete <id-of-sip-entry>
end

CLI — disable SIP inspection on the firewall policy

config voip profile
    edit "no-sip-alg"
        config sip
            set status disable
        end
    next
end

# Apply the profile to your VoIP firewall policy
config firewall policy
    edit <policy-id>
        set utm-status enable
        set voip-profile "no-sip-alg"
    next
end

GUI alternative

1. Open Security Profiles → VoIP.
2. Create a new profile named no-sip-alg; under SIP, set Status to disabled.
3. Apply this profile to your egress firewall policy under Policy & Objects → Firewall Policy.

Raise UDP session timeout for SIP registration

FortiGate's default UDP session timeout is 180 seconds. SIP REGISTER intervals are typically 3600 seconds. The firewall closes the NAT mapping between registrations and inbound calls fail silently until the next REGISTER refresh. Raise the per-service timeout for SIP traffic to at least 600 seconds:

config firewall service custom
    edit "SIP-UDP"
        set udp-portrange 5060 5060
        set session-ttl 3600
    next
end

# Reference SIP-UDP from the policy that handles VoiceTel-bound traffic
config firewall policy
    edit <policy-id>
        append service "SIP-UDP"
    next
end

For RTP traffic specifically, the default timeout is usually fine (RTP packets every 20 ms keep the state refreshed during an active call). The problem is signalling between calls.

Verify

# Confirm the SIP helper is disabled
diagnose sys session list | grep -i sip
# Should return no matches with stateful SIP rewriting

# Confirm the new session-ttl is applied
diagnose sys session filter dport 5060
diagnose sys session list
# Look for "expire=" — it should count down from ~3600, not ~180

Place a test call and confirm two-way audio.