Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pro_IT_Support
New Contributor

Technical Tip: ADTRAN SIP-ALG Trunks with third-party vendor

Here are the lessons I learned that are specific to Clearfly ADTRAN deployments behind Fortinet NAT firewall:

1.  Make sure to leave SIP-ALG enabled. If you have disabled this setting you need to re-enable it.
config system settings
set sip-expectation enable
set sip-nat-trace enable
set default-voip-alg-mode proxy-based
end
config system session-helper
edit 13
set name sip
set protocol 17
set port 5060
next
end
config voip profile
edit default
config sip
set rtp enable
end
end

 

2.  Make sure your firewall is running in Profile-Based mode instead of Policy-Based Mode.

Use a VIP (virtual IP address) to map the public IP address of the ADTRAN to the private IP address of the ADTRAN. This will be used as the destination for your inbound firewall rule.

 

3.  On your inbound firewall rule:

  • Incoming Interface (WAN or SD-WAN zone)
  • Outgoing Interface (interface connected to the ADTRAN)
  • IPv4 Source Address - Add the Clearfly IP address range and LookingGlass IP range and a test IP that you control
  • IPv4 Destination Address - use the VIP (one-to-one mapping of public to private IP for the ADTRAN)
    Services: ALL_ICMP, HTTPS, SNMP, SSH, TRACEROUTE (UDP) //// DO NOT INCLUDE SIP ON INBOUND RULE ////
  • Schedule - always
  • Action - Accept
  • !!! Inspection Mode !!! - Proxy-based this is important or SIP-ALG will not see the traffic
  • NO NAT on the inbound rule, this is handled by the VIP

4.  On your outbound firewall rule:

  • Incoming Interface (interface connected to the ADTRAN)
  • Outgoing Interface (WAN or SD-WAN zone)
  • IPv4 Source Address - the private IP address on the ETH0 on the ADTRAN
  • IPv4 Destination Address - ALL
  • Services: ALL
  • Schedule: always
  • Action - Accept
  • !!! Inspection Mode !!! - Proxy-based this is important or SIP-ALG will not see the traffic
  • NAT - Use Dynamic IP Pool (if you have more than one public IP address you need a pool to map the outbound IP of the ADTRAN to match the IP address you have assigned to the device)
  • Preserve Source Port - check this box

This should allow your ADTRAN to register properly with the third-party vendor's SBC and benefit from the added security of being located inside of your corporate firewall.

 

You can run the following command to verify that calls are being handled by SIP-ALG.

If SIP ALG is handling the SIP traffic, the command below will display counters:

 

FortiGate # diag sys sip-proxy stat
sip stats

vdom name: root
active-sessions: 1
calls-attempted: 57
calls-established: 27
calls-failed: 30

calls-active: 0
registers-active: 1
| received | blocked | unknown form | long headers
req-type | req resp| req resp| req resp| req resp
UNKNOWN 0 47227 0 47227 0 47227 0 0
ACK 86 0 0 0 0 0 0 0
BYE 27 27 0 0 0 0 0 0
CANCEL 14 14 0 0 0 0 0 0
INFO 0 0 0 0 0 0 0 0
INVITE 107 223 0 0 0 0 0 0
MESSAGE 0 0 0 0 0 0 0 0
NOTIFY 5789 5788 0 0 0 0 0 0
OPTIONS 0 0 0 0 0 0 0 0
PRACK 0 0 0 0 0 0 0 0
PUBLISH 10371 802 0 1 0 0 0 0
REFER 2 2 0 0 0 0 0 0
REGISTER 100678 81543 25 0 25 0 0 0
SUBSCRIBE 19857 13333 0 2 0 0 0 0
UPDATE 0 0 0 0 0 0 0 0
PING 0 0 0 0 0 0 0 0


https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-confirm-if-FortiGate-is-using-SIP-S...

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-One-way-Audio-issue-in-VOIP-calls-ca...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-the-SIP-Application-Layer-Gateway...

 

FortiGate FortiManager 

IT Consultant - Fortinet Reseller
IT Consultant - Fortinet Reseller
1 REPLY 1
Anonymous
Not applicable

Hello @Pro_IT_Support ,

 

Thank you for posting to Fortinet Community Forum. We welcome your input and we hope it helps the users get help from it.

Thanks,

Labels
Top Kudoed Authors