- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SIP trunking
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-14-2010 01:12 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP trunking
I have tried everything under the sun to get a Fortigate 60B to properly handle SIP trunking and I cannot get this thing to work 100% of the time. The customer uses bandwidth.com for SIP trunking, both in and out, along with a Fonality PBXtra onsite PBX. Fonality says open the following ports:
UDP 5060 (SIP)
UDP 10000 - 20000 (SIP audio)
Bandwidth.com says open the following ports:
UDP 5060 (SIP)
UDP 1024 - 64000 (SIP audio)
I have done this using Virtual IPs with port forwarding. I have done this using just Custom Service rules with the ports. I have tried creating Virtual IPs with ALL ports open. I have tried this with Custom Service rules with ALL ports open.
Randomly I can get outbound calls to go through, but no audio. I do not get what I am doing wrong, I have done this 500 times with other firewalls and have never had any sort of problem. This Fortigate is the most ridiculously complicated thing I have encountered in over 20 years of network consulting. I recommended to the client that they trash it in favor of much better Cisco firewall but they claim that Fonality told their former network administrator that the Fortigate was the recommended solution to work with the PBXtra. I cannot get anyone at Fonality to verify this statement.
Regardless, SIP trunking is a simple technology that should not be this difficult to get setup. I have searched all over the internet for instructions relating to a Fortigate firewall and have come up mostly empty handed, save for a few references to some SIP document in the knowledge base (if those are referring to " FortiGate Support for SIP FortiOS v3.0 MR5" then save your time because that document is a piece of trash). I have tried getting the folks at bandwidth.com to help, they refuse to provide help " behind the firewall" , which I totally understand. Fonality is the same way. I have tried getting anyone at Fortinet to help but have come up empty handed.
Is there anyone on this planet that has actually successfully set up SIP trunking, both inbound and outbound, using a FortiGate 60B fireall?? This is my last effort at solving this problem before I tell the client to forget it unless they want to us a real firewall.
TIA
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give us an example of your firewall-policy?
what I did when I had a PBX downstream of a fortigate was to find out the source ranges for the PBX/SIP gateways and made firewall=policy that allowed for that range of ip_address and allowed all services thru. Once I diagnose the sessions and validated the port range, I locked it down further.
One way audio is very common and proper due to one side of the session not being allowed.
You also might want to disable sip-helper if you have that enable, and checkout the KB on fortinet website. They have some great examples iirc on proper setup.
I use a Cisco SIP enable phone at home behind my FWF60, and we have a asterisk server behind a FG200A. I also have a nortel IP phone vpn thru my FWF60B and it works great but it' s not SIP but uses some other call session control. All works great btw.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc ... no offense intended, but that is exactly an example of what I would call a pretty much useless response. No definitive " here is how you do it" instructions, just a bunch of mumbo jumbo that exists in a dozen other areas in this forum. I love how everyone points to these so-called great examples in the KB on the fortinet site, yet not one of you can provide a link, an article number, nothing. That KB is a piece of crap, worst I' ve ever come across in my life. I found exactly ONE article that discusses SIP and it appears to have been created by a child that barely understands English.
red.adair:
- currently use 4.0, MR1 patch 3
- do have a FW rule allowing 5060/UDP outbound from DMZ to WAN1, PBXtra lives in DMZ
- do have a VIP rule binding ext:5060 to dmz:5060 with associated ext->dmz rule
- I do have the SIP-ALG protection profile created and bound to all rules
- NOT using STUN
I' m very familiar with SIP. The amazing thing is, when I switch to testing with another SIP trunk provider, everything magically works perfectly. Switch back to bandwidth.com, nothing works. Yet they claim everything is setup perfect on their end. Quite frankly I think they are full of crap.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi 316,
being an experienced (20 yr) network consulting as you claim you are, it should be obvious some basic things:
- if you post to a forum about a technology you don' t know, you should provide the more accurate and exhaustive detail about what' s your setup, your configuration, captured screens or output of relevant CLI commands, etc.
- it' s surely useless that you post concepts like ' everything is a crap' or whatever like that, and qualify those guys whose are trying to understand (guessing about your draft description) is completely annoying.
This is just a volunteer effort forum, not tech free support for you; if you' re kind, more possibilities to find somebody to take some time to kindly study your problem and help you, just for fun;
If you consider this not enough for you, open a ticket with paid Fortinet TAC or hire a consultant.
good luck
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Use a recent 4.0.x or 4.1.x Build
- create a FW Rule that allows udp/5060 outbound (guess you need to tick NAT as well)
- if needed create a VIP from ext:5060 -> int:5060 and bind it to a ext->int Rule
(in case someone needs to access your PBX from the Internet)
- NOW: Kick in the SIP-ALG ! (That does all the Magic like Pinholing RTP and NATing)
.- Create a Application-Control with SIP enabled
.- Create a Protection-Profile with that App-Control Sensor enabled
.- Apply that Protection profile to both inbound and outbound SIP Policies
make sure not using STUN or hacks like that - or at least open ports that they use.
And BTW - i disagree SIP is a simple technology. It' s a a fairly open Signalling; and when u say SIP Audio you likely refer to RTP (which Pinholes are openened dyamically).
When using FortiOS 4.1 you will get a strong SIP ALG into your hands, so make sure you better be familiar with SIP.
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
316 it took me all but 30secs to google sip and fortigate.
http://docs.fortinet.com/fgt/archives/3.0/techdocs/FortiGate_SIP_Support_Tech_Note_01-30007-0232-20080909.pdf
And within 60secs I found quite a few SIP related articles on KB, for vr3 or 4 .
http://kb.fortinet.com/kb/microsites/searchEntry.do
So what did you expect? or what?
A simple request for your FW policy and description of the method I used to diagnosed my SIP related problems was not good enough for you? Get real and get a life .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don' t you go over an do it too.... 
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all SIP Peering Providers work, except one you may try to find out why this happens.
to reveal SIP NAT/pinholing etc. (all the ALG does):
# diag debug ena
# diag debug application sip -1
Also may help tp take simultaneous traces extern and DMZ and work them out in Wireshark
# diag sniff pack external-IF ' <sip-srv-ip>' 3
simltanous
# diag sniff pack DMZ-IF ' host <sip-srv-ip>' 3
Use the Perl Script you find (search for sniffer) to convert the output into PCAP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
is it possible to have multiple trunks registered at the same time?
also i have a sip provider (callcentric) which uses port 5080. how would i need to change the sip ALG to take care about that too?
see my setup here:
http://dl.dropbox.com/u/125755/network.png
thanx
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It' s no problem having multiple sip trunks over 1 line.
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Related Posts
- Cisco Trunk port to Fortiswitch 1270 Views
- DID (Direct Inward Dialing) number override... 174 Views
- Connecting Two SIP Trunks with Different... 315 Views
- FortiVoice to CUCM SIP trunk 271 Views
- FortiSwitch FortiLink Trunk Question 446 Views
Labels
-
FortiGate
6,605 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.