- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- One-way audio over fortigate FW
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One-way audio over fortigate FW
Hi team,
I need your help in a one way audio in a network.
The design is a bit complex and is a follows:
- fortigate acts an internal firewall --> connected to Cisco FW --> Service provider
- the voice server is at the service provider premises
I can make calls from the internal network to any phone to remote sites (they don' t have Fortigate) or to the phones at the service provider. They can hear me, I can' t hear them. They cannot call me, of course. Phones are registered normally.
I tried to bypass the Cisco Firewall for the voice traffic, it didn' t change anything.
I enabled " any any" for the voice, I enabled SIP and ICMP and nothing changed (the phones in question are Cisco SIP).
Can you please advise on what I can do?
Do you require any command outputs?
Any help would be appreciated.
Regards,
Mazen
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there!
I would recommend that you move your question to another section of these forums for the best assistance.
FortiVoice is a SMB VoIP solution, and what you' re describing is general difficulty with VoIP traffic. VoIP can be tricky to troubleshoot because there are so many different ways it can be implemented.
First, I hope you aren' t using src/dst of any/any as this is very bad security practice :)
Here are some steps you can try as a first pass, but I would still recommend you ask this in another section, perhaps FortiOS.
I would say ask the provider what configurations need to be in place for your system to work. I assume that your phones have internal IP' s, you can' t just create a rule to allow access from your service provider inbound to your phones, NAT or a VIP would have to be involved. I suspect that you are simply missing some configuration and/or there is a misconfig on another component. Since you' ve bypassed the cisco FW and problem persists, check with your service provider and ensure you have everything open that needs to be open and the proper configuration on their side.
I' m sorry I can' t be more specific. Without knowing all the parameters and how the service provider is setup on the head end, it' s hard to say. Bear in mind FortiOS does have VoIP specific policy in the GUI that may be relevant here depending on your needs. If you don' t see it, enabled in in the Features widget on the dashboard.
Cheers!
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mazen,
I' ve seen this behaviour several times with SIP traffic going through a FortiGate. Usually the problem is to do with the FortiGates SIP session helper (should be renamed ' unhelper' ...).
For myself the fix has usually been to delete and disable the SIP helper, then restart the firewall.
This must be done in the CLI. When you run the below ' show' command, look for the id that SIP has been configured under. Usually I see this as 13, but sometimes it' s 12 too.
config system session-helper show delete 13 (or whatever the ID is for the SIP session helper) end config system settings set sip-helper disable set sip-nat-trace disable end execute rebootThe firewall reboot is a requirement. After the firewall reboots I generally disable all the SIP protection profiles from the policy and then make a test call. If it' s still not working you can then try to enable the SIP protection profiles in the policy Hope it helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info neonbit,
Generally speaking, the SIP helper should of course not be a problem. Sorry that it has caused you issue.
If you don' t mind Mazen, if that change happens to magically solve your issue, could you please open a TAC case so we can grab some debugs?
I' d rather see to it that the SIP helper works as expected, and if indeed it' s a SIP helper problem and debugs show a root cause, it' s something that could be fixed not only for you but for the community. My focus is to try to make the product work to it' s best potential.
Cheers!
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SIP session helper is turned on by default and typically the first thing TAC will do in these cases is disable it. There should be settings on the PBX for it to ignore headers if the SIP traffic was natted, however if the SIP headers do need translating then applying the VoIP profile (ALG) is the better solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Bromont The SIP session helper is turned on by default and typically the first thing TAC will do in these cases is disable it.Hi Bromont, This is kind of the point I' m trying to make. That particular TAC engineer may choose to disable it because it' s the path of least resistance to get your problem resolved and there is nothing necessarily wrong with that, but I' d really like to see a trouble ticket opened for a deep dive debug and improve the operation of the SIP helper so that it doesn' t need to be disabled. I unfortunately don' t have the means to duplicate this issue myself in my home lab, and I do know of installations where SIP helper is enabled and working as expected, so it clearly is not an issue of it failing 100% of the time. If one of you is having issues where you had to disable the SIP helper, and you are willing to take a few minutes of your time during a maintenance window to help reproduce the problem and debug the issue to see if we can make it work smoothly in a wider range of deployments, that is something I know the community as a whole would appreciate. cheers!
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the vast majority of cases the SIP helper will need to be disabled.. Modern PBX systems are smart enough to not need it... In the event it is needed the SIP ALG (VoIP profile) should be used instead.
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31530
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bromont,
If that' s the case, I could make the argument that the SIP helper needs to be disabled by default.
Thanks for the info!
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mazen
Did you get this sorted in the end, if not let us know some details about the setup, what / where the voice switch is, what internet router / connection do you have.
There are other issues that can cause 1 way audio if the Fortinet fix doesn' t work
Mark
Infosec Partners
Infosec Partners
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case I needed to disable BOTH the SIP helper and ALG on the FortiGate to resolve issues of one-way audio on external phones.
In 5.2.x the SIP helper is disabled by default.
Blair
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,134 -
FortiClient
1,407 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
453 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
290 -
FortiMail
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
Routing
16 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 882 | |
| 523 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.