Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

[solved] How to configure Fortigate with SIP for an Asterisk server

Hi everyone, I' m trying to configure my Fortigate in order that it let my Asterisk server perform VoIP call on the Internet. My Fortigate 50B is connected to Internet with interface WAN1 via a Modem in transparent Mode (so the Firewall get a public IP from my ISP). On the Internal interface of the Fortigate, a Nortel Business Ethernet switch 50 is connected. VLAN " 80" (192.168.80.1) is configured on the internal port of the Firewall and on the switch port where it is connected to. On the Nortel switch ports of the VLAN " 80" an Asterisk server (192.168.80.8) and 2 IP phones are connected (192.168.80.51 and 192.168.80.52). Internal interface is set with 192.168.2.1 / 24. Concerning Policies, I juste open everything from inside to outside. This mean Source=all, Destination=all, Services=any for the following interfaces : VLAN 80 to wan1 Internal to Wan1 I setup a Virtual IP : Firewall > VIP
Name : Asterisk SIP server
 External interface : Wan1
 Type : static NAT
 External IP address : 0.0.0.0
 Mapped IP addres : 192.168.80.8
 Port fowarding not ticked/checked
---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1
Source interface : wan1
 Source address : all
 Destination interface : VLAN Voice
 Destination address : Asterisk SIP server
 Schedule : always
 Service : SIP
 Action : Accept
 
Firewall > Policy 2
Source interface : VLAN Voice
 Source address : all
 Destination interface : wan1
 Destination address : all
 Schedule : always
 Service : SIP
 Action : Accept
 NAT : enabled
 Protection profile : SIP_Profile
 
Firewall > Protection profile
Name : SIP_Profile
 Application Control > Application Black/White List : App_list_SIP
 Logging > Log Application Control : yes
UTM > Application Control
Name : App_List_SIP
 Liste Type > White List
 
 Category : VoIP
 Application : SIP
 Limit REGISTER request : 5
 Limit INVITE request : 5
 Enable Logging : yes
 Enable Logging of Violations : Yes
I as well removed the SIP session-helper as adviced :
config system session-helper
 delete 20
 end
 
 config system settings
 set sip-helper disable
 set set sip-nat-trace disable
 end
I restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
11 REPLIES 11
rwpatterson
Valued Contributor III

Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

ORIGINAL: Jacknight The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration.
Wrong, the packets are not blocked by Policy 1 because they are part of a conversation allowed by your internal to external policy. You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.
lmuir
New Contributor

What firmware you running? Looks like v4. v4, you can use the SIP ALG without the need to blindly open ports to the internet. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31530&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5123925&stateId=0%200%205125417 simply follow that, remove your VIP rules and it should just work.
Not applicable

First, I would like to thank all of you for your anwers because I don' t see the issue of this.
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.
Yes it is.
You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.
Do you have a set of commands to track this ? Because I don' t know very much CLI.
What firmware you running? Looks like v4.
Version 4 MR1
v4, you can use the SIP ALG without the need to blindly open ports to the internet.
Actually I followed this, but made a mix with another procedure for version 3.0 MR6 or higher. Maybe I shouldn' t have add a Virtual IP and that' s why it' s not working. The ALG was already set in my config with UTM > Application Control
Name : App_List_SIP
   Liste Type > White List
   Category : VoIP
   Application : SIP
   Limit REGISTER request : 5
   Limit INVITE request : 5
   Enable Logging : yes
   Enable Logging of Violations : Yes
 
I will try your advice and remove my Virtual IP. I have a question : to which Policy should I apply this Protection profile ? (the procedure doesn' t give any clues for that) Another question : my Application Control list is a White List does it means that nothing else will go through if I apply it (DNS, HTTP, HTTPS, SMTP, ...) ? Again the procedure just tell to type CLI commands. If I do that the result is a BLACK LIST. Wich would reasonnably result in blocking SIP ! So I' m a bit puzzled Is this procedure really correct ???
lmuir
New Contributor

In my setup I have - ALG configured as described Internal-Wan Asterisk rule has " traffic shaping" and " Enable VOIP" . For the traffic shaping I set it to high (I have set global shaping to medium) and reserved bandwidth. For the VOIP profile I have my SIP settings defined. Calls work fine in and out. I do not want anonymous call to my Asterisk server, so only trunks that are registered will work, not sure if anonymous calling is something you want in your setup, if it is, then you may need the VIP but ensure your asterisk box is secured well, I' ve heard too many stories of internet presented IP enabled PBXs being used by spammers, leaving you with a very nasty phone bill. If you end up using the VIP, the following IPS sigs might be of use - F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) Cheers, Lachlan.
abelio

Thanks for share the signatures.

regards




/ Abel

regards / Abel
Not applicable

Hello Lachlan, Thank you for your answer. I' m not sure I got what your meaning. Did you meant that you applied the Protection Profile (containing the ALG) only on THE outgoing Policy ? (Internal-to-wan) You set as well " Trafic shaping" and what is this " Enable VOIP" (are you talking about the Protection profile?) ? I need to test anonymous call as well. But only with registered friends/peers and limited to local call. And my bill is a prepaid account. So I keep control of my amount of bill-communications. I m' sorry, I don' t understand this text. It is a CLI command, is it ? Or an IPTable firewall shell command ?
the following IPS sigs might be of use - F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
Thanks a gain for your help.
Not applicable

Thanks for share the signatures.
? I' m sorry I dont understand what you mean. By the way I tried the policies and protection profiles without the ALG and the result was the same : connectivity loss with Internet. So I' m wondering if my problem rather come from the Protection profile instead of the ALG or whatever ???
config firewall profile
     edit " SIP_Profile" 
         set ftp splice
         unset http
         unset https
         set imap fragmail spamfssubmit
         set pop3 fragmail spamfssubmit
         set smtp fragmail spamfssubmit splice
         unset nntp
         set application-list-status enable
         set application-list " App_list_SIP" 
             config app-recognition
                 edit " http" 
                     set port 80 
                 next
                 edit " https" 
                     set port 443 
                 next
                 edit " smtp" 
                     set port 25 
                 next
                 edit " pop3" 
                     set port 110 
                 next
                 edit " imap" 
                     set port 143 
                 next
                 edit " nntp" 
                     set port 119 
                 next
                 edit " ftp" 
                     set port 21 
                 next
             end
         unset im
         unset http-post-lang
     next
 end
 
lmuir
New Contributor

I' m possibly running a different firmware to you the relevant configs for my asterisk box is - config firewall policy edit 42 set srcintf " Internal 1" set dstintf " Wan 1" set srcaddr " Trixbox" set dstaddr " all" set action accept set utm-status enable set schedule " always" set service " ANY" set voip-profile " SIP" set traffic-shaper " VOIP-ToExternal" set ips-sensor " Servers" set nat enable next end config voip profile edit " SIP" config sip set register-rate 100 set invite-rate 100 set log-call-summary disable end config sccp set log-violations enable set max-calls 100 end next end Removed the sip session helper as per the KB article above, then ignored the rest of the KB article as it didn' t apply to my firmware version but should work on yours. Check the admin guide on how to use the IPS signatures.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors