Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stylezz
New Contributor

Created on ‎04-04-2017 06:33 AM

Issue with fortigate policy

Hi,

 

I've seemed to have hit a snag with configuring our new VOIP provider.

 

The traffic from the external VOIP server is being blocked by our firewall.

I've tried to make a policy (KPN VOICE rule) to allow it but it doesnt seem to get hit and the incoming calls are still being blocked by the implicit deny rule.

I've included images with the policy rules and the log detail of an incoming call.

 

The fortigate is behind a new router which makes a VPN to the new provider, the WAN interface on the Fortigate has IP 10.4.7.1

The KPN SBC object in the policy rule contains the IP address of the external VOIP server.

Can anyone point me the in the right direction?

 

 

Labels:
6859
0 Kudos
5 REPLIES 5
MikePruett
Valued Contributor

Created on ‎04-04-2017 07:31 AM

Are you getting one way audio issues or are calls not coming in at all?

 

config system settings

set sip-udp 5080

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3031
0 Kudos
stylezz
New Contributor
In response to MikePruett

Created on ‎04-04-2017 07:42 AM

I'm not getting any incoming calls, outgoing calls work fine and the audio is good.

 

3031
0 Kudos
emnoc
Esteemed Contributor III
In response to stylezz

Created on ‎04-04-2017 07:59 AM

 

Qs

Did you run diag debug flow on the call and signaling ?

 

Since calls are working one-way, I would not over look any SIP diagnostic and  causes response  between SIP serve/client ?

 

Do you have any registration issues or is SIP-reg not being used here ?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3030
0 Kudos
hmtay_FTNT
Staff
Staff
In response to emnoc

Created on ‎04-04-2017 08:33 AM

From the logs, in the Destination section, it looks like the IP 10.4.7.1 is matched to the "root" interface and not "internal". That is likely the reason why it is blocked by the implicit deny rule.

3030
0 Kudos
emnoc
Esteemed Contributor III
In response to hmtay_FTNT

Created on ‎04-04-2017 09:26 AM

diag debug  flow is your friend, we do not have enough of information or  proper collection of diagnostics

 

no match firewall

no route

other items to be concern with ( typo, wrong addr object, /32 static routes,pbr,etc.......)

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3030
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.