Recommended Fortinet Firewall Settings

Recommended Fortinet Firewall Settings

Please pay particular attention to spaces and dashes in the CLI based steps, or you may receive error warnings.

From the Fortinet Appliance Command Line Interface

Remove SIP Helper

  1. In the Command Line Interface (CLI) run the following commands:
    • config system session-helper
    • show
       
  2. Notice that edit 13 contains SIP:
    mceclip0.png
     
  3. Enter the following commands:
    • delete 13
    • end

 

Disable SIP-ALG

In the Command Line Interface (CLI) run the following commands:

  • config system settings
  • set default-voip-alg-mode kernel-helper-based
  • set sip-helper disable
  • set sip-nat-trace disable
  • end

mceclip1.png

Reboot the Router while using the Web GUI under Status, or in the CLI with the following command:

  • execute reboot

 

Disable Strict Register

Strict Register forces VoIP devices through a pinhole at port 65476 and will cause duplicate porting to occur.

To disable this setting, run the following command in the Command Line Interface (CLI):

  • config voip profile
  • edit <Profile_name>
  • config sip
  • set strict-register disable
  • end

mceclip2.png

From the Fortinet Appliance GUI / UX

Enable Traffic Shaping

  1. Go to SYSTEM > FEATURE VISIBILITY
     
  2. Enable Traffic Shaping and VoIP under the ADDITIONAL FEATURES column like so:
    mceclip3.png
     
  3. Left single mouse-click APPLY to finalize the changes.
     

Set Inspection Mode to Proxy

  1. Go to SYSTEM > SETTINGS and scroll down to almost the bottom of the page.
     
  2. Look for the option Inspection Mode and left single mouse-click on the option PROXY (this allows you to build VoIP proxies):
    mceclip4.png
     
  3. Left single mouse-click APPLY to finalize the changes made.
     

Create a VoIP Traffic Shaper

  1. Left single mouse-click on CREATE NEW
    mceclip5.png
     
  2. Fill in the information and enable the settings as shown above.
     
  3. Left single mouse-click on OK to finalize the changes.
     

Create Primecall VoIP Addresses, Services, and Address Groups

Primecall VoIP

Public Subnets

 

·      199.71.209.0/24

·      24.227.249.0/25

·      72.249.136.32/28

·      206.123.122.32/27

·      212.69.157.32/27

·      40.143.31.64/27

Ports - Primecall Platform

 

·    5060-5062 UDP - SIP

·    20,000-40,000 UDP - RTP

 

Ports - Enswitch 1 and 2 Platforms

·      5060-5062 UDP - SIP

·      10,000-20,000 UDP – RTP

 

Addresses

  1. Navigate to POLICY AND OBJECTS > ADDRESSES and perform the following steps for each of the Primecall VoIP IP Public Subnets referenced above.
     
  2. Left single mouse-click on CREATE NEW > ADDRESS
    mceclip7.png
     
  3. Give the Address a name. (It is suggested to use a descriptive name such as the one used in this example)
    mceclip8.png
     
  4. Fill in the SUBNET / IP RANGE with ONE of the addresses.
     
  5. Left single mouse-click OK

     

Address Group

mceclip9.png

mceclip10.png

  1. Navigate to POLICY AND OBJECTS > ADDRESSES and perform the following:
  2. Left single mouse-click on CREATE NEW > ADDRESS Group
  3. Give the Address Group a name. (It is suggested to use a descriptive name such as the one used in this example)
  4. Left single mouse-click the + sign under the Members object.
  5. Left single mouse-click on each of the Primecall VOIP Address Objects you created in the previous step.
  6. Once you have selected all of the addresses look for the Close button at the bottom of the Select Entries and left single mouse-click.
     

Services/Ports

  1. Navigate to SERVICES
     
  2. Left single mouse-click on CREATE NEW > SERVICE
    mceclip11.png
     
  3. Give the Service a name. (It is suggested to use a descriptive name such as the one used in this example)
    mceclip12.png
  4. Set the PROTOCOL TYPE as shown above.
     
  5. Ensure the ADDRESS is set for IP RANGE.
     
  6. Select the appropriate port type.
    • Fill in the appropriate port information for each port described under Ports - Primecall Platform & Ports - Enswitch 1 and 2 Platforms.
    • Fill in the SUBNET / IP RANGE with ONE of the addresses.
    • Left single mouse-click OK

       

Create an IPv4 Policy for Primecall

  • Navigate to POLICY AND OBJECTS > IPv4 POLICY
     
  • Left single mouse-click on CREATE NEW:
    mceclip13.png
     
  • Give the Policy a name. (It is suggested to use a descriptive name such as the one used in this example)
    mceclip14.png
  • Configure settings as shown above. NOTE: You may use a different name for the internal connection depending on how your device is configured. Use the appropriate LAN connection for your configuration.
     
  • Ensure the policy is active or turn it on once you apply the settings.
     
  • Left single mouse-click OK
     

Set the Register, Invite, and SCCP Request Limits

  1. Navigate to SECURITY PROFILES > VoIP
    mceclip15.png
     
  2. Set the “REGISTER” Requests Limit and “INVITE” Requests Limit to the value specified by your installation technician.
    • 300 can be used if the exact value is not known.
       
  3. If necessary, set the SCCP limit as well. 
     

Create and Edit a Traffic Shaping Policy

  1. Navigate to TRAFFIC SHAPING POLICY
    mceclip16.png
     
  2. Select CREATE NEW to show the menu for configuring the policy:
    mceclip17.png
     
  3. Complete the policy as shown above.

Pay careful attention to the SIP and VOIP selections as they may be in different locations depending on the age, and firmware version of your Fortinet.

Ensure you select the name of the Policy / Traffic Shaper you created earlier.

Congratulations! You have completed the pre-engagement setup.

If you have issues or questions with the configurations described above, a good first point of contact is to call our Primecall technical support team at 844.59PRIME (844.597-7463). Another excellent option is to call Fortinet at 

Please be aware that your device must have an active Maintenance and Support Agreement in effect for Fortinet's services.

Was this article helpful?


    • Related Articles

    • Recommended Fortinet Firewall Settings

      Please pay particular attention to spaces and dashes in the CLI based steps, or you may receive error warnings. From the Fortinet Appliance Command Line Interface Remove SIP Helper In the Command Line Interface (CLI) run the following commands: ...

    • Recommended Fortinet Firewall Settings

      Please pay particular attention to spaces and dashes in the CLI based steps, or you may receive error warnings. From the Fortinet Appliance Command Line Interface Remove SIP Helper In the Command Line Interface (CLI) run the following commands: ...

    • Recommended Fortinet Firewall Settings

      Please pay particular attention to spaces and dashes in the CLI based steps, or you may receive error warnings. From the Fortinet Appliance Command Line Interface Remove SIP Helper In the Command Line Interface (CLI) run the following commands: ...

    • Recommended Unifi Firewall Settings

      Configure Your Unifi Firewall for VoIP WARNING: Configuring the settings of your USG may result in a restart. It is recommended to perform these changes in your after hours. Create a Smart Queue A Smart Queue option is available with UniFi Security ...

    • Recommended Unifi Firewall Settings

      Configure Your Unifi Firewall for VoIP WARNING: Configuring the settings of your USG may result in a restart. It is recommended to perform these changes in your after hours. Create a Smart Queue A Smart Queue option is available with UniFi Security ...