Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎03-27-2008 12:00 AM

Article Id 193228

Using the MGCP predefined service

Article
DescriptionThe MGCP pre-defined firewall service can be used by call agents and media gateways in distributed Voice Over IP (VoIP) systems. The MGCP pre-defined service is compliance with RFC 3435 and can be used for MGCP calls through a FortiGate unit.
ComponentsFortiOS v3.0 MR6
Steps or Commands

In a typical MGCP scenario, an MGCP phone connected to the Internet can communicate with an IP phone on a private network. The FortiGate unit needs to be operating in NAT/Route mode with NAT enabled.

You need to configure a virtual IP and create two firewall policies to allow calls from the MGCP phone on the Internet to the IP phone on the internal network.

Configure a Virtual IP

First, create a virtual IP address for the MGCP call agent, which you will use in the firewall policies.

To configure a virtual IP for the MGCP call agent on the FortiGate external interface

  1. Go to Firewall> Virtual IP> Virtual IP.
  2. Select Create New.
  3. Configure the virtual IP address:
    4. NameName of the MGCP call agent.
    External InterfaceExternal
    TypeStatic NAT
    External IP AddressThe external IP address that you want to map to an address on the destination network. This will be the virtual IP for the call agent.
    Map to IPThe real IP address on the destination network to which the external IP address is mapped.

  4. Select OK.

Add Firewall Policies

You need to add two firewall policies for the MGCP phone traffic. One will enable the MGCP phone to contact the MGCP call agent, the second will allow an IP phone on the internal network to call the MGCP phone.

To add a firewall policy for the MGCP phone to register with the MGCP call agent

  1. Go to Firewall> Policy and select Create New.
  2. Configure the policy using the following settings:
    3. Source InterfaceExternal
    Source AddressIP of the MGCP phone.
    Destination InterfaceInternal
    Destination AddressThe virtual IP for the MGCP call agent.
    ScheduleAlways
    ServiceMGCP
    ActionACCEPT
    NATEnable
  3. Select OK.

To add a firewall policy that allows calls from the IP phone on the internal network to the MGCP phone.

  1. Go to Firewall> Policy and select Create New.
  2. Configure the policy with the following settings:
    3. Source InterfaceInternal
    Source AddressIP of the IP phone.
    Destination InterfaceExternal
    Destination AddressThe virtual IP for the MGCP call agent.
    ScheduleAlways
    ServiceMGCP
    ActionACCEPT
    NATEnable

  3. Select OK.

Labels:
2161
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.