Description

This article describes the configuration to be done on FortiGate when using 3CX devices.

Scope

v7.0, v7.2.

Solution

In this case, let's assume the 3CX server is behind the FortiGate.

1. Create outbound policy.
   
   

2. Create inbound policy.

   Firstly, it is needed to create the VIP.
   
   

   

    

   The RTP port can change from SIP provider to provider. It is necessary to check with the SIP provider to get the ranges of RTP ports configured on the 3CX server and allow those required ports in VIP.

    

   After creating the VIP, it is required to place the VIP in the incoming policy.
   
   

   

3. DNS.

   Make sure the DNS server is able to resolve all the required FQDN of 3CX.

    

    

4. Disable SIP ALG.

   FortiGate should not be using SIP ALG and even session helper should be disabled.

    

   To disable SIP ALG:

   config system settings

       set sip-expectation disable

       set sip-nat-trace disable
       set default-voip-alg-mode kernel-helper-based
   end

    

   To disable session helper

   config system session-helper
       edit 13
           set name sip
           set protocol 17
           set port 5060
       next

       delete 13
   end

    

   After that clear the session for port 5060.

    

   Check the setup from 3CX.

   Log into the 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if the firewall is correctly configured for use with 3CX.

    

   Related article:

   Technical Tip: Disabling VoIP Inspection.