Hello,
I want to make 5060 and some other ports for sip prioritized over my other firewall policy rules. What's the best way to do this? Would I make a lan to wan rule, put it as the top policy and select the services? Would that affect both incoming and outgoing traffic? I assume it would only work for outgoing. But as it's for voip quality, I want it to be both ways. Currently I have it set to any interface to any interface but that doesn't seem secure, or organized as I just need it to be lan to wan and wan to lan.
If you are curious, the policies after it make it so that the rest of the traffic will be restricted to a lower priority and lower allowance of total bandwidth. So this top rule will make anything going through those ports not be affected by those restrictions, and therefore improve the quality of service.
Thanks,
Me
You generally don't want any to any allow rules, or open ended wan to lan rules -- they're a security risk.
If you have an outgoing security policy rule (lan to wan, service SIP, allow, plus security profiles) then once you've made the outgoing connection it will allow communication back for the services you allow, using your security profiles, for that session.
It sounds like what you're really looking for is bandwidth shaping and service prioritization?
http://cookbook.fortinet.com/traffic-shaping-for-voip/
Also, traffic shaping with priority queuing by service.
http://cookbook.fortinet.com/traffic-shaping-priq/
Caveat: I've only looked these over with plans to implement them for some very high bandwidth applications, but haven't tried them yet. If you do, let us know how it goes!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.