Fortinet black logo

FortiVoice Cookbook

Configuring additional settings

Configuring additional settings

In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

Call restrictions and common phones

Restrictions can be put in place based on call types, such as blocking international or toll calls.

  1. Go to Security > User Privilege > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Call Restriction and configure the settings accordingly.

Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

  1. Set the appropriate call type to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

Interface access

Any access methods that are not being used on the FortiVoice device should be disabled.

  1. Go to System > Network > Network.
  2. Select an interface and click Edit.
  3. Under Advanced Setting, disable any unused Access protocols.

Guest provision protocol

Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

  1. Go to System > Advanced > Auto Provisioning.
  2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

Prohibited prefixes

You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

  1. Go to Phone System > Setting > Option.
  2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

Trusted hosts for administrators

Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to System > Administrator > Administrator.
  2. Select the administrator and click Edit.
  3. Set Trusted hosts to the local trusted IP subnet (define as many as required).

Trusted hosts for extensions

Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to Phone System > Profile > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

Unused administrators

Remove administrator profiles that are not in use.

  1. Go to System > Administrator > Administrator.
  2. Select the administrators that are not active and click Delete.

Unused extensions

To avoid the unintentional use of unused extensions, remove those extensions.

  1. Go to Extension > Extension > IP Extension.
  2. Disable the extensions that are not active.

Verify SIP user agent

Restrict phone registration so only phone requests that match the system configured phone type are allowed.

  1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
  2. Enter the following commands:
  3. config system sip-setting

    set verify-user-agent enable

    end

Configuring additional settings

Configuring additional settings

In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

Call restrictions and common phones

Restrictions can be put in place based on call types, such as blocking international or toll calls.

  1. Go to Security > User Privilege > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Call Restriction and configure the settings accordingly.

Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

  1. Set the appropriate call type to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

Interface access

Any access methods that are not being used on the FortiVoice device should be disabled.

  1. Go to System > Network > Network.
  2. Select an interface and click Edit.
  3. Under Advanced Setting, disable any unused Access protocols.

Guest provision protocol

Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

  1. Go to System > Advanced > Auto Provisioning.
  2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

Prohibited prefixes

You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

  1. Go to Phone System > Setting > Option.
  2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

Trusted hosts for administrators

Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to System > Administrator > Administrator.
  2. Select the administrator and click Edit.
  3. Set Trusted hosts to the local trusted IP subnet (define as many as required).

Trusted hosts for extensions

Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to Phone System > Profile > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

Unused administrators

Remove administrator profiles that are not in use.

  1. Go to System > Administrator > Administrator.
  2. Select the administrators that are not active and click Delete.

Unused extensions

To avoid the unintentional use of unused extensions, remove those extensions.

  1. Go to Extension > Extension > IP Extension.
  2. Disable the extensions that are not active.

Verify SIP user agent

Restrict phone registration so only phone requests that match the system configured phone type are allowed.

  1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
  2. Enter the following commands:
  3. config system sip-setting

    set verify-user-agent enable

    end