Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: How to configure Fortigate with SIP for an As...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-05-2010 08:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[solved] How to configure Fortigate with SIP for an Asterisk server
Hi everyone,
I' m trying to configure my Fortigate in order that it let my Asterisk server perform VoIP call on the Internet.
My Fortigate 50B is connected to Internet with interface WAN1 via a Modem in transparent Mode (so the Firewall get a public IP from my ISP).
On the Internal interface of the Fortigate, a Nortel Business Ethernet switch 50 is connected.
VLAN " 80" (192.168.80.1) is configured on the internal port of the Firewall and on the switch port where it is connected to.
On the Nortel switch ports of the VLAN " 80" an Asterisk server (192.168.80.8) and 2 IP phones are connected (192.168.80.51 and 192.168.80.52).
Internal interface is set with 192.168.2.1 / 24.
Concerning Policies, I juste open everything from inside to outside.
This mean Source=all, Destination=all, Services=any for the following interfaces :
VLAN 80 to wan1
Internal to Wan1
I setup a Virtual IP :
Firewall > VIP
Name : Asterisk SIP server External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 Mapped IP addres : 192.168.80.8 Port fowarding not ticked/checked---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server Schedule : always Service : SIP Action : AcceptFirewall > Policy 2
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled Protection profile : SIP_ProfileFirewall > Protection profile
Name : SIP_Profile Application Control > Application Black/White List : App_list_SIP Logging > Log Application Control : yesUTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI as well removed the SIP session-helper as adviced :
config system session-helper delete 20 end config system settings set sip-helper disable set set sip-nat-trace disable endI restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 05-05-2010 11:21 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Jacknight The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration.Wrong, the packets are not blocked by Policy 1 because they are part of a conversation allowed by your internal to external policy. You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What firmware you running? Looks like v4.
v4, you can use the SIP ALG without the need to blindly open ports to the internet.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31530&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5123925&stateId=0%200%205125417
simply follow that, remove your VIP rules and it should just work.
Not applicable
Created on 05-07-2010 07:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I would like to thank all of you for your anwers because I don' t see the issue of this.
Is this procedure really correct ???
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.Yes it is.
You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.Do you have a set of commands to track this ? Because I don' t know very much CLI.
What firmware you running? Looks like v4.Version 4 MR1
v4, you can use the SIP ALG without the need to blindly open ports to the internet.Actually I followed this, but made a mix with another procedure for version 3.0 MR6 or higher. Maybe I shouldn' t have add a Virtual IP and that' s why it' s not working. The ALG was already set in my config with UTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI will try your advice and remove my Virtual IP. I have a question : to which Policy should I apply this Protection profile ? (the procedure doesn' t give any clues for that) Another question : my Application Control list is a White List does it means that nothing else will go through if I apply it (DNS, HTTP, HTTPS, SMTP, ...) ? Again the procedure just tell to type CLI commands. If I do that the result is a BLACK LIST. Wich would reasonnably result in blocking SIP ! So I' m a bit puzzled
Is this procedure really correct ???
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my setup I have -
ALG configured as described
Internal-Wan Asterisk rule has " traffic shaping" and " Enable VOIP" .
For the traffic shaping I set it to high (I have set global shaping to medium) and reserved bandwidth.
For the VOIP profile I have my SIP settings defined.
Calls work fine in and out. I do not want anonymous call to my Asterisk server, so only trunks that are registered will work, not sure if anonymous calling is something you want in your setup, if it is, then you may need the VIP but ensure your asterisk box is secured well, I' ve heard too many stories of internet presented IP enabled PBXs being used by spammers, leaving you with a very nasty phone bill. If you end up using the VIP, the following IPS sigs might be of use -
F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; )
F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; )
F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )
Cheers,
Lachlan.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for share the signatures.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 05-11-2010 06:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Lachlan,
Thank you for your answer.
I' m not sure I got what your meaning.
Did you meant that you applied the Protection Profile (containing the ALG) only on THE outgoing Policy ? (Internal-to-wan)
You set as well " Trafic shaping" and what is this " Enable VOIP" (are you talking about the Protection profile?) ?
I need to test anonymous call as well. But only with registered friends/peers and limited to local call. And my bill is a prepaid account. So I keep control of my amount of bill-communications.
I m' sorry, I don' t understand this text. It is a CLI command, is it ? Or an IPTable firewall shell command ?
the following IPS sigs might be of use - F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )Thanks a gain for your help.
Not applicable
Created on 05-11-2010 11:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for share the signatures.? I' m sorry I dont understand what you mean. By the way I tried the policies and protection profiles without the ALG and the result was the same : connectivity loss with Internet. So I' m wondering if my problem rather come from the Protection profile instead of the ALG or whatever ???
config firewall profile
edit " SIP_Profile"
set ftp splice
unset http
unset https
set imap fragmail spamfssubmit
set pop3 fragmail spamfssubmit
set smtp fragmail spamfssubmit splice
unset nntp
set application-list-status enable
set application-list " App_list_SIP"
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
end
unset im
unset http-post-lang
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m possibly running a different firmware to you the relevant configs for my asterisk box is -
config firewall policy
edit 42
set srcintf " Internal 1"
set dstintf " Wan 1"
set srcaddr " Trixbox"
set dstaddr " all"
set action accept
set utm-status enable
set schedule " always"
set service " ANY"
set voip-profile " SIP"
set traffic-shaper " VOIP-ToExternal"
set ips-sensor " Servers"
set nat enable
next
end
config voip profile
edit " SIP"
config sip
set register-rate 100
set invite-rate 100
set log-call-summary disable
end
config sccp
set log-violations enable
set max-calls 100
end
next
end
Removed the sip session helper as per the KB article above, then ignored the rest of the KB article as it didn' t apply to my firmware version but should work on yours.
Check the admin guide on how to use the IPS signatures.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,042 -
FortiClient
1,611 -
5.2
801 -
FortiManager
679 -
5.4
639 -
FortiAnalyzer
516 -
FortiAP
425 -
FortiSwitch
424 -
6.0
416 -
FortiClient EMS
364 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
188 -
SSL-VPN
176 -
FortiNAC
161 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
92 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
23 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Application control
18 -
FortiMonitor
16 -
Traffic shaping
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
Application signature
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1475 | |
| 1007 | |
| 749 | |
| 443 | |
| 207 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.