Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: How to configure Fortigate with SIP for an As...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-05-2010 08:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[solved] How to configure Fortigate with SIP for an Asterisk server
Hi everyone,
I' m trying to configure my Fortigate in order that it let my Asterisk server perform VoIP call on the Internet.
My Fortigate 50B is connected to Internet with interface WAN1 via a Modem in transparent Mode (so the Firewall get a public IP from my ISP).
On the Internal interface of the Fortigate, a Nortel Business Ethernet switch 50 is connected.
VLAN " 80" (192.168.80.1) is configured on the internal port of the Firewall and on the switch port where it is connected to.
On the Nortel switch ports of the VLAN " 80" an Asterisk server (192.168.80.8) and 2 IP phones are connected (192.168.80.51 and 192.168.80.52).
Internal interface is set with 192.168.2.1 / 24.
Concerning Policies, I juste open everything from inside to outside.
This mean Source=all, Destination=all, Services=any for the following interfaces :
VLAN 80 to wan1
Internal to Wan1
I setup a Virtual IP :
Firewall > VIP
Name : Asterisk SIP server External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 Mapped IP addres : 192.168.80.8 Port fowarding not ticked/checked---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server Schedule : always Service : SIP Action : AcceptFirewall > Policy 2
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled Protection profile : SIP_ProfileFirewall > Protection profile
Name : SIP_Profile Application Control > Application Black/White List : App_list_SIP Logging > Log Application Control : yesUTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI as well removed the SIP session-helper as adviced :
config system session-helper delete 20 end config system settings set sip-helper disable set set sip-nat-trace disable endI restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 05-05-2010 11:21 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Jacknight The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration.Wrong, the packets are not blocked by Policy 1 because they are part of a conversation allowed by your internal to external policy. You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What firmware you running? Looks like v4.
v4, you can use the SIP ALG without the need to blindly open ports to the internet.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31530&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5123925&stateId=0%200%205125417
simply follow that, remove your VIP rules and it should just work.
Not applicable
Created on 05-07-2010 07:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I would like to thank all of you for your anwers because I don' t see the issue of this.
Is this procedure really correct ???
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.Yes it is.
You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.Do you have a set of commands to track this ? Because I don' t know very much CLI.
What firmware you running? Looks like v4.Version 4 MR1
v4, you can use the SIP ALG without the need to blindly open ports to the internet.Actually I followed this, but made a mix with another procedure for version 3.0 MR6 or higher. Maybe I shouldn' t have add a Virtual IP and that' s why it' s not working. The ALG was already set in my config with UTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI will try your advice and remove my Virtual IP. I have a question : to which Policy should I apply this Protection profile ? (the procedure doesn' t give any clues for that) Another question : my Application Control list is a White List does it means that nothing else will go through if I apply it (DNS, HTTP, HTTPS, SMTP, ...) ? Again the procedure just tell to type CLI commands. If I do that the result is a BLACK LIST. Wich would reasonnably result in blocking SIP ! So I' m a bit puzzled
Is this procedure really correct ???
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my setup I have -
ALG configured as described
Internal-Wan Asterisk rule has " traffic shaping" and " Enable VOIP" .
For the traffic shaping I set it to high (I have set global shaping to medium) and reserved bandwidth.
For the VOIP profile I have my SIP settings defined.
Calls work fine in and out. I do not want anonymous call to my Asterisk server, so only trunks that are registered will work, not sure if anonymous calling is something you want in your setup, if it is, then you may need the VIP but ensure your asterisk box is secured well, I' ve heard too many stories of internet presented IP enabled PBXs being used by spammers, leaving you with a very nasty phone bill. If you end up using the VIP, the following IPS sigs might be of use -
F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; )
F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; )
F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
Cheers,
Lachlan.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for share the signatures.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 05-11-2010 06:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Lachlan,
Thank you for your answer.
I' m not sure I got what your meaning.
Did you meant that you applied the Protection Profile (containing the ALG) only on THE outgoing Policy ? (Internal-to-wan)
You set as well " Trafic shaping" and what is this " Enable VOIP" (are you talking about the Protection profile?) ?
I need to test anonymous call as well. But only with registered friends/peers and limited to local call. And my bill is a prepaid account. So I keep control of my amount of bill-communications.
I m' sorry, I don' t understand this text. It is a CLI command, is it ? Or an IPTable firewall shell command ?
the following IPS sigs might be of use - F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )Thanks a gain for your help.
Not applicable
Created on 05-11-2010 11:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for share the signatures.? I' m sorry I dont understand what you mean. By the way I tried the policies and protection profiles without the ALG and the result was the same : connectivity loss with Internet. So I' m wondering if my problem rather come from the Protection profile instead of the ALG or whatever ???
config firewall profile
edit " SIP_Profile"
set ftp splice
unset http
unset https
set imap fragmail spamfssubmit
set pop3 fragmail spamfssubmit
set smtp fragmail spamfssubmit splice
unset nntp
set application-list-status enable
set application-list " App_list_SIP"
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
end
unset im
unset http-post-lang
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m possibly running a different firmware to you the relevant configs for my asterisk box is -
config firewall policy
edit 42
set srcintf " Internal 1"
set dstintf " Wan 1"
set srcaddr " Trixbox"
set dstaddr " all"
set action accept
set utm-status enable
set schedule " always"
set service " ANY"
set voip-profile " SIP"
set traffic-shaper " VOIP-ToExternal"
set ips-sensor " Servers"
set nat enable
next
end
config voip profile
edit " SIP"
config sip
set register-rate 100
set invite-rate 100
set log-call-summary disable
end
config sccp
set log-violations enable
set max-calls 100
end
next
end
Removed the sip session helper as per the KB article above, then ignored the rest of the KB article as it didn' t apply to my firmware version but should work on yours.
Check the admin guide on how to use the IPS signatures.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Traffic Shaping Configuration Issue Affecting ... 97 Views
- SSLVPN on VDOM 775 Views
- Configuration on FortiGate verses FortiManager 170 Views
- Seeking Guidance on Configuring DHCP Relay... 261 Views
- Fortigate 40F Slow Upload Speeds 163 Views
Labels
-
FortiGate
8,475 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
458 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
179 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.