Created on 05-05-2010 08:07 AM
Name : Asterisk SIP server External interface : Wan1 Type : static NAT External IP address : 0.0.0.0 Mapped IP addres : 192.168.80.8 Port fowarding not ticked/checked---- HTTPS, HTTPS, PING and DNS communication from VLAN 80 to Internet do work well. Asterisk can perform DNS queries without issue. Asterisk as 1 SIP trunk to two different SIP providers. Config has been checked and work perfectly well without Fortigate Firewall in between. It works as well perfectly well with a basic Firewall forwarding appropriate port 5060 and rtp ports 10000-10008 to Asterisk. Asterisk can send calls and receive calls. However with the Fortigate 50B in between with the above described configuration, only the outgoing SIP calls/dialog from inside to SIP provider are working. Incoming SIP calls fail. So I did what was advised by the guide to perform SIP call. I added the two following policies : Firewall > Policy 1
Source interface : wan1 Source address : all Destination interface : VLAN Voice Destination address : Asterisk SIP server Schedule : always Service : SIP Action : AcceptFirewall > Policy 2
Source interface : VLAN Voice Source address : all Destination interface : wan1 Destination address : all Schedule : always Service : SIP Action : Accept NAT : enabled Protection profile : SIP_ProfileFirewall > Protection profile
Name : SIP_Profile Application Control > Application Black/White List : App_list_SIP Logging > Log Application Control : yesUTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI as well removed the SIP session-helper as adviced :
config system session-helper delete 20 end config system settings set sip-helper disable set set sip-nat-trace disable endI restarted the FortiGate for changes to take effect. The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration. If anybody as a clue or any idea I would be gratefull as I really need this server to work. Thanks
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Created on 05-05-2010 11:21 AM
ORIGINAL: Jacknight The result is that VLAN Voice lose total communication with Internet. No more call, PING; or DNS querries are possible with these Policies. I tried to enable each policies on its own and it seems that the problem comes from the Policy 1 because as soon as I enable it, Astersik server can no more PING or make any DNS Querry to a public IP address. Though I still can ping my wan1 interface. It' s looks like the ping-response packets on the way back are just blocked by this policy. The problem could as well come from my " Asterisk SIP server" Virtual IP configuration.Wrong, the packets are not blocked by Policy 1 because they are part of a conversation allowed by your internal to external policy. You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.
Created on 05-07-2010 07:24 AM
Is the virtual IP you set up the target of policy #1? If not try it. That should yield better results.Yes it is.
You should debug from the CLI to see the packets flow when you enabled Policy 1 maybe you think they are going out when they really are not.Do you have a set of commands to track this ? Because I don' t know very much CLI.
What firmware you running? Looks like v4.Version 4 MR1
v4, you can use the SIP ALG without the need to blindly open ports to the internet.Actually I followed this, but made a mix with another procedure for version 3.0 MR6 or higher. Maybe I shouldn' t have add a Virtual IP and that' s why it' s not working. The ALG was already set in my config with UTM > Application Control
Name : App_List_SIP Liste Type > White List Category : VoIP Application : SIP Limit REGISTER request : 5 Limit INVITE request : 5 Enable Logging : yes Enable Logging of Violations : YesI will try your advice and remove my Virtual IP. I have a question : to which Policy should I apply this Protection profile ? (the procedure doesn' t give any clues for that) Another question : my Application Control list is a White List does it means that nothing else will go through if I apply it (DNS, HTTP, HTTPS, SMTP, ...) ? Again the procedure just tell to type CLI commands. If I do that the result is a BLACK LIST. Wich would reasonnably result in blocking SIP ! So I' m a bit puzzled Is this procedure really correct ???
regards
/ Abel
Created on 05-11-2010 06:23 AM
the following IPS sigs might be of use - F-SBID(--name SIP.Options.Scan.UDP; --protocol UDP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.Options.Scan.TCP; --protocol TCP; --service SIP; --flow from_client; --pattern " OPTIONS" ; --context uri; --within 7,context; --rate 30,3; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.UDP; --protocol UDP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; ) F-SBID(--name SIP.User.Password.Guessing.TCP; --protocol TCP; --service SIP; --flow from_server,reversed; --pattern " SIP/2.0 4" ; --context header; --within 9,context; --pcre " /^\d{2}/" ; --context header; --distance 0; --rate 100,60; --track src_ip; )Thanks a gain for your help.
Created on 05-11-2010 11:17 AM
Thanks for share the signatures.? I' m sorry I dont understand what you mean. By the way I tried the policies and protection profiles without the ALG and the result was the same : connectivity loss with Internet. So I' m wondering if my problem rather come from the Protection profile instead of the ALG or whatever ???
config firewall profile edit " SIP_Profile" set ftp splice unset http unset https set imap fragmail spamfssubmit set pop3 fragmail spamfssubmit set smtp fragmail spamfssubmit splice unset nntp set application-list-status enable set application-list " App_list_SIP" config app-recognition edit " http" set port 80 next edit " https" set port 443 next edit " smtp" set port 25 next edit " pop3" set port 110 next edit " imap" set port 143 next edit " nntp" set port 119 next edit " ftp" set port 21 next end unset im unset http-post-lang next end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.