Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎05-01-2021 11:39 AM Edited on ‎10-29-2023 10:57 PM By Community Manager

Article Id 190676

Technical Tip: Most common cases of SIP implementation

Description

 

This article describes the most common scenarios of VOIP implementation in FortiGate when SIP is used. 

There are three general scenarios in which the FortiOS session initiation protocol (SIP) solution is usually deployed, and a common practice for ISP/multi-vdom scenarios, where NAT is needed.


Solution


For the ease of understanding, the green highlight covers the network part that is managed.


 
 
 The SIP server (managed by user) is in a private network, protected from the internet by a FortiGate (managed by user). 
 
  • Phones need to register to the SIP server, in order to place calls through it. So port 5060 needs to be open through FortiGate by a VIP.
 
VIP can open port 5060 or all ports, and only one firewall policy is needed, external_intf>sip_server_intf, service SIP, NAT disabled. 
Based on the SDP information in the SIP packets, the FortiGate will open the necessary audio ports for each session.
 

 
The SIP clients (managed by user) are in a private network, protected from the internet by a FortiGate (managed by user).
 
  • FortiGate must apply Source-NAT to the outgoing packets, including the SDP content, to hide the internal network. 
 
By default, SIP-ALG does this with no further configuration other than a firewall policy: LAN ->external_interface, service SIP, NAT enabled.
Based on the SDP content a new session expectation -for RTP- is created).
 
 
 
The SIP server (managed by user) is in a private network, protected from the internet by a FortiGate (managed by user). 
The SIP clients are in a remote private network, such as a SOHO network, AND behind a NAT device that is not aware of SIP applications.
 
  • The NAT will only change the content of the IP headers, leaving the SDP content (IPs) unchanged. This causes problems in the SIP process.
FortiGate must have HNAT enabled to correct this situation: 
'set external enable' on the incoming interface, VIP to open the port 5060 to the local SIP server, 
'hosted-nat-traversal' must be enabled on the voip profile, VIP as dest object + NAT enabled in policy.
 
 

  
The SIP clients are in a remote public network; SIP server is located in a different public network.
SIP clients may or may not be behind a SIP-aware NAT unit.
 
SIP server accepts incoming connections only from a specific range of IPs, so FortiGate must NAT the traffic to the desired range by using an IP-pool.
Neither the clients, nor the server is on the local/private network.
 

Firewall Policy Configuration for SIP traffic:

Note: This will be the sample for SIP configuration. Check the SIP provider documentation for requirements

 

Topology:

Internal phone network (Test-Phone VLAN) --- Internal Phone Server (Test-Server VLAN) --- FGT (WAN) --- Internet --- SIP provider

 

(If the phone server is in the same VLAN as the phone system, you can skip the first step of the policy configuration below)

 

  1. Make sure to establish the connections between the phones and the internal phone server by creating 2 firewall policies for the VLAN traffic with NAT disabled: 
 

config firewall policy
    edit 1
        set name "Phone-to-Server"
        set srcintf "Test-Phone"
        set dstintf "Test-Server"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next

        edit 2
            set name "Server-to-Phone"
            set uuid c25ad7ee-d4b2-51ed-cc97-a28410b79310
            set srcintf "Test-Server"
            set dstintf "Test-Phone"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
        next

    end

 
  1. Create a new VIP object mapping the WAN IP address to the internal phone server’s IP address. Enable 'Optional Filters' and 'Source address' to type the IP address of the SIP provider. This means that only traffic from the SIP provider will be able to reach the internal phone server through the WAN IP address.  

 

config firewall vip
    edit "SIP-to-Server-VIP"
        set uuid deafae72-d4b4-51ed-665a-f03753be03dd
        set src-filter "<SIP-provider-public-IP>"
        set extip "<WAN-IP-address>"
        set mappedip "<Test-Server-VLAN-address>"
        set extintf "any"
    next
end

 

It is optionally possible to enable services to further restrict the traffic through port(s) to be able to reach the internal address and enable port forwarding to map the external port(s) to internal port(s).

 

  1. In the firewall policy configuration page (either 'IPv4 Policy', 'Firewall Policy' or 'Security Policy' for NGFW mode), create 2 firewall rules for traffic from the internal phone server VLAN to the Internet and vice versa: 

 

config firewall policy

    edit 4
        set name "SIP-to-Server"
        set srcintf "WAN"
        set dstintf "Test-Server"
        set action accept
        set srcaddr "all"
        set dstaddr "SIP-to-Server-VIP"
        set schedule "always"
        set service "ALL"
    next

        edit 3
            set name "Server-to-SIP"
            set srcintf "Test-Server"
            set dstintf "WAN"
            set action accept
            set srcaddr "Test-Server address"
            set dstaddr "SIP Provider"
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

 

  1.  (Optionally) it is possible to configure any UTM features as needed and/or restrict the policies to only allow traffic for a certain port(s) by adding service(s) (for example, UDP port 5060) 

IMPORTANT NOTE.
In a SIP VoIP scenario, it is desirable to perform the least necessary NAT operations, and only if absolutely needed.
It has to be chosen as the ones most easier to control.
It has to be considered in this order: VIP (most common), VIP (ranges of IPs), SIP-ALG (it is performing NAT), IP-pool (least desirable, only when absolutely needed, otherwise SIP-ALG or VIP are a better solution).

Based on: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/667795/general-use-cases
 
Related documents:
 

 

Related Articles

Technical Tip: VOIP calls (using SIP)

Technical Tip: Disabling VoIP Inspection

Techincal Tip: SIP useful Commands

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

Technical Tip: How to use the SIP ALG to prevent unwanted calls

Technical Tip: FortiGate Hosted NAT Traversal for SIP

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2

Technical Tip: How to create SIP helper for custom ports 

Labels:
12013
Suggest New Article
Article Feedback
Comments
saleha
Staff
Staff
‎08-15-2024 11:28 AM

This is a really important article for more sophisticated sip implementations. Great work!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.