Required ports & settings for VoIP service (all firewall models) #

For Winet SIP Trunk #

Telephone system or telephone terminals in the customer's LAN

For Winet Ayrix & hostedPBX #

Additional settings for individual firewall models #

Here you can find screenshots and quick guides to the most common firewalls.

Fortigate (Fortinet) #

It is recommended to follow the following instructions: http://kb.fortinet.com/kb/documentLink.do?externalID=FD33271

How to disable SIP-ALG (SIP Helper) on Fortinet

Open the Fortigate CLI from the dashboard. Enter the following commands in FortiGate's CLI:

  config system settings
  set sip-helper disable
  set sip-nat-trace disable
  reboot the device

Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)

  config system session-helper
  show // you need to find the entry for SIP, usually 12, but it may vary
  delete 12 // or the number that you identified from the previous command

Create a rule and set it like in the picture above Reboot the device and you should be ready

Disable RTP processing as follows

  config voip profile
  edit default
  config sip
  set rtp disable

Depending on what is configured as basic support, SIP support can be turned off completely.
Subsequently, the SIP Sessionhelper is set as "basic" support and deleted.
With this, the Fortigate can no longer provide SIP support because the session helper it is configured to no longer exists.

Base support on the session helper (kernel-helper-based):

  config system settings
  set default-voip-alg-mode kernel-helper-based
  end

Delete SIP Sessionhelper (as above):

  config system session-helper
  show
     ...
     edit 
         set name sip
         set protocol 17
         set port 5060
     next
    ...
  delete 
  end

A complete VoIP configuration guide for FortiOS 5.6 can be found in this document: https://docs.fortinet.com/uploaded/files/3611/fortigate-sip-56.pdf

pfSense #

The pfSense does not contain a SIP ALG by default.

Adjust UDP session timeout:

Sonicwall #

SonicOS 6.5 #

SIP-ALG is called "SIP Transformations" at Sonicwall. Please disable you this setting:

Adjust UPD session timeout (at least 300s):

SonicOS 5.9 #

SIP-ALG is called "SIP Transformations" at Sonicwall. Please disable you this setting:

Adjust UPD session timeout (at least 300s):

Sophos #

For the Sophos firewall, the UDP session timeout setting is changed via the console with the following command (set at least 300s):

or

Disable the SIP module (a.k.a. SIPALG) as follows:

Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.

2. choose option4. device console.

Execute the following command(s):

Zyxel USGxx #

Adjust settings via GUI #

Adjust UDP session timeout (to at least 300s):

SIP-ALG disable:

After this setting has been adjusted a Restart of the firewall mandatory.

If one of these settings is not available, a firmware upgrade to the latest firmware must be made first.

Check and adjust UDP session timeout via Telnet #

1. Enable Telnet on USG
   
2. Activate Telnet client on PC (Control Panel -> Programs & Features)
3. Via Telnet make the following settings- IP address of the Zywall- Username: admin- Password:

   - configure terminal (switch to command mode)

   - show session timeout udp (check values, default values: Connect 9, Deliver 300 sec.)

   - session timeout udp-connect 300 (change the connect UDP timer)

   - session timeout udp-deliver 300 (change the deliver UDP timer if it is not 300 sec.)

   - show session timeout udp (check values, both must be 300 sec.)

   - exit (exit the command mode)

   - exit (terminate the telnet connection)
   

The following ZyWall script also works:

configure terminal
session timeout udp-deliver 300
session timeout udp-connect 300
no alg sip transformation
no alg sip inactivity-timeout
no alg sip
write