Known Issues:

  1. SIP ALG is enabled by default, but it can be disabled.

  2. RTP processing causes call and fax audio issues. Therefore, that setting needs to be disabled.

  3. DNS relay/proxy is disabled by default but it can be enabled. You will need to verify it is disabled to prevent just Polycom phones from experiencing intermittent DNS lookup timeouts.

  4. If the DHCP DNS Servers are set to the same addresses as the System (WAN) DNS servers, it activates a FortiGate software issue that causes DNS Server addresses (DHCP option 6) to not be passed to the phones. 
    • This causes Vertical phones to get stuck in Configuring mode.
    • It causes Polycom phones to show Line Unregistered, URL Calling Is Disabled, Unknown Network Error, Invalid Hostname, a Red Triangle with an Exclamation point in the middle, and other Polycom errors that cause the phone to be unable to make/receive calls.

  5. All inbound and outbound audio can be blocked by the firewall’s application control settings.


  1. The instructions below may vary depending on the model and firmware version of your FortiGate device. 
  2. Log in to the FortiGate.
    • If you cannot log in or cannot find the settings below, you will need to email the instructions below to your IT or contact FortiGate Technical Support for help making the changes.
  3. Open the command-line interface (CLI) from the dashboard or connect via an SSH client.
  4. Enter the following commands in FortiGate’s CLI:
    • config system settings
    • set sip-helper disable
    • set sip-nat-trace disable
    • end
  5. Reboot the FortiGate device.
  6. Reopen the CLI and enter the following commands (do not enter the text in parentheses)
    • config system session-helper
    • show                    (you need to find the entry for SIP, usually 12, but it can vary)
    • delete 12             (or the number that you identified in the previous command; this will remove the current SIP profile)
    • end
  7. Disable RTP processing as follows:
    • config voip profile
    • edit default
    • config sip
    • set status disable
    • set rtp disable
    • end
  8. Exit the CLI.
  9. The following step is only needed if you have or plan to purchase Polycom phones and you are using your FortiGate as your DHCP server on your local network:
    1. In the FortiGate web interface -> expand the Network section on the left-hand side of the page -> click on Interface.
      • Under DHCP Server > DNS Server > make sure the Same as System DNS is selected. 
    2. Under the Network section on the left-hand side of the page > click on Interface> DNS Settings > set it to Specify > set the following:
      • Primary DNS Server:
      • Secondary DNS Server:
    3. Click Apply to save.
      • If you cannot find the DNS settings above, then try to change the DNS settings using the command-line interface (CLI):
        • Go back to the dashboard and open the CLI and enter the following commands:
          • config system dns
          • set primary
          • set secondary
          • set cache disable
          • end
    4. Reboot the FortiGate device again and all of the phones on the network.
    5. You may also need to reboot all your computers and other devices on your network if they lose the internet connection to clear their DNS cache and/or you can run the following Windows command to clear the DNS cache manually:
      • ipconfig /flushdns
  10. Select Security Profile > Application Control > Uncheck Video/Audio and save your changes.
  11. There may be other settings that they need to configure depending on the FortiOS version that you're using. If firewall-related phone issues persist, contact your IT or FortiGate Technical Support.

Note: if you are running FortiOS 5.2 or 5.4 you will need to disable VoIP inspection. To do so, refer to the steps described in FortiNet Knowledge Base Article Disabling VoIP Inspection.