Using a non-standard port for SIP is a fairly weak security measure. The ‘secret’ port will eventually be discovered and the crackers will then beat on it.
As a test system, only allow access to the SIP port from the IP address(es) of your endpoints. In production, if a whitelist is impractical, use a VPN or SIP over TLS.
The USG by default has a 30 second UDP timeout, which is the cause of your registration loss. Although the ALG works around that, it causes other subtle issues and is not recommended.
-SIP ALG: Found under firewall settings. Must be disabled. -SPI Firewall: Found under firewall settings. Must be disabled. -UDP Timeout: Found under firewall settings. Usually set to 30 seconds by default. Should be increased to at least 300 seconds. -SIP Transformations: Found under firewall settings. Must be disabled. -Consistent NAT: Found under firewall settings. Must be enabled.
Of the above, just increasing UDP Timeout should fix the registration loss, though the other changes may be needed for audio issues, etc.
However, no port forwarding should be needed.