Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiVoice Cookbook

    Home FortiVoice 6.0.7 FortiVoice Cookbook
    6.0.7
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4

    Configuring additional settings

    Configuring additional settings

    In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

    Call restrictions and common phones

    Restrictions can be put in place based on call types, such as blocking international or toll calls.

    1. Go to Security > User Privilege > User Privilege.
    2. Select a user privilege and click Edit.
    3. Expand Call Restriction and configure the settings accordingly.

    Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

    1. Set the appropriate call type to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

    Interface access

    Any access methods that are not being used on the FortiVoice device should be disabled.

    1. Go to System > Network > Network.
    2. Select an interface and click Edit.
    3. Under Advanced Setting, disable any unused Access protocols.

    Guest provision protocol

    Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

    1. Go to System > Advanced > Auto Provisioning.
    2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

    Prohibited prefixes

    You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

    1. Go to Phone System > Setting > Option.
    2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

    Trusted hosts for administrators

    Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

    1. Go to System > Administrator > Administrator.
    2. Select the administrator and click Edit.
    3. Set Trusted hosts to the local trusted IP subnet (define as many as required).

    Trusted hosts for extensions

    Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

    1. Go to Phone System > Profile > User Privilege.
    2. Select a user privilege and click Edit.
    3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

    Unused administrators

    Remove administrator profiles that are not in use.

    1. Go to System > Administrator > Administrator.
    2. Select the administrators that are not active and click Delete.

    Unused extensions

    To avoid the unintentional use of unused extensions, remove those extensions.

    1. Go to Extension > Extension > IP Extension.
    2. Disable the extensions that are not active.

    Verify SIP user agent

    Restrict phone registration so only phone requests that match the system configured phone type are allowed.

    1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
    2. Enter the following commands:

      3. config system sip-setting

      set verify-user-agent enable

      end

    Previous
    Next

    Configuring additional settings

    Configuring additional settings

    In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

    Call restrictions and common phones

    Restrictions can be put in place based on call types, such as blocking international or toll calls.

    1. Go to Security > User Privilege > User Privilege.
    2. Select a user privilege and click Edit.
    3. Expand Call Restriction and configure the settings accordingly.

    Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

    1. Set the appropriate call type to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

    Interface access

    Any access methods that are not being used on the FortiVoice device should be disabled.

    1. Go to System > Network > Network.
    2. Select an interface and click Edit.
    3. Under Advanced Setting, disable any unused Access protocols.

    Guest provision protocol

    Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

    1. Go to System > Advanced > Auto Provisioning.
    2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

    Prohibited prefixes

    You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

    1. Go to Phone System > Setting > Option.
    2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

    Trusted hosts for administrators

    Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

    1. Go to System > Administrator > Administrator.
    2. Select the administrator and click Edit.
    3. Set Trusted hosts to the local trusted IP subnet (define as many as required).

    Trusted hosts for extensions

    Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

    1. Go to Phone System > Profile > User Privilege.
    2. Select a user privilege and click Edit.
    3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

    Unused administrators

    Remove administrator profiles that are not in use.

    1. Go to System > Administrator > Administrator.
    2. Select the administrators that are not active and click Delete.

    Unused extensions

    To avoid the unintentional use of unused extensions, remove those extensions.

    1. Go to Extension > Extension > IP Extension.
    2. Disable the extensions that are not active.

    Verify SIP user agent

    Restrict phone registration so only phone requests that match the system configured phone type are allowed.

    1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
    2. Enter the following commands:

      3. config system sip-setting

      set verify-user-agent enable

      end

    Previous
    Next