At least in version 2.7.2 and close, SIP-ALG is apparently (seen via live logs and behavior…) active within a Watchguard, if you have a TCP-UDP proxy active. Doesn’t matter how much you turn off in that proxy, SIP-ALG is still active. The only way to handle it, apparently, is by disabling the policy altogether and replacing it with a TCP-UDP packet filter.