Fortinet black logo

FortiVoice Cookbook

Configuring FortiGate for SIP over TCP or UDP

Copy Link
Copy Doc ID c3ecc684-eeb6-11ea-96b9-00505692583a:663658
Download PDF

Configuring FortiGate for SIP over TCP or UDP

After Configuring FortiFone softclient settings on FortiVoice, perform the following procedures to configure a FortiGate device for SIP over TCP or UDP:

If your FortiVoice deployment is using SIP over TLS instead, go to Configuring FortiGate for SIP over TLS.

Configure system settings for SIP over TCP or UDP

  1. On FortiGate, go to System > Feature Visibility.
  2. Under Additional Features, enable Multiple Security Profiles and VoIP.
  3. Click Apply.

Create virtual IP addresses for SIP over TCP or UDP

  1. On FortiGate, go to Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. Create virtual IPs for the following services that map to the IP address of the FortiVoice:
    • External SIP TCP port of FortiVoice. If the sip_mobile_default profile has been modified to use UDP instead, configure the VIP for the external SIP UDP port.
    • External HTTPS port of FortiVoice. The HTTPS port is used for the softclient login, call logs, and contacts download from the FortiVoice phone system.
  4. To create a virtual IP group, click Create New and select Virtual IP Group.
  5. Add the two newly created virtual IPs.

Configure VoIP profile and NAT traversal settings for SIP over TCP or UDP

  1. On FortiGate, open the CLI Console from the GUI banner.
  2. Create a VoIP protection profile and enable hosted NAT traversal (HNT) and restricted HNT source address. If the FortiVoice softclient is behind a non-SIP-aware firewall, HNT addresses the SDP local address problem.

    This VoIP protection profile will be added to the inbound firewall policy to prevent potential one-way audio issues caused by NAT.

    VoIP profile command example for SIP over TCP or UDP

    config voip profile

    edit "SIP_IN"

    config sip

    set hosted-nat-traversal enable

    end

    next

    end

  3. If you are using a non-standard external port, update the system settings by entering the following commands. Both command examples use port 5566.

    External port setting example for TCP

    config system settings

    set sip-tcp-port 5566

    end

    External port setting example for UDP

    config system settings

    set sip-udp-port 5566

    end

  4. Set the internet facing interface as external. HNT requires an external port to work. The command example uses port2 as the internet facing interface.

    config system interface

    edit "wan1"

    set external enable

    next

    end

Create an inbound firewall policy for SIP over TCP or UDP

  1. On FortiGate, go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Set Incoming Interface to the internet-facing interface and Outgoing Interface to the internal/LAN interface.
  4. Set Source to all.
  5. Set Destination to the virtual IP group created in Create virtual IP addresses for SIP over TCP or UDP.
  6. Set Schedule to always.
  7. Set Service to ALL.
  8. Disable NAT.
  9. Enable VoIP and select the VoIP profile created in Configure VoIP profile and NAT traversal settings for SIP over TCP or UDP.

Create an outbound firewall policy for FortiVoice to access the Android or iOS push server

FortiVoice requires outbound access to the Android and iOS push servers.

If FortiGate has an outbound firewall policy that allows FortiVoice to access everything on the internet, then you do not need to create an additional firewall policy. You have completed the FortiGate configuration for SIP over TLS. Go to Installing and configuring the FortiFone softclient for mobile.

If FortiGate does not have an outbound firewall policy that allows FortiVoice to access everything on the internet, perform the steps to create the FQDN addresses and the specific outbound firewall policies to allow FortiVoice to access the Android and iOS push servers.

To create FQDN addresses for Android and iOS push servers

  1. On FortiGate, go to Policy & Objects > Addresses and click Create New.
  2. In Name, enter a name for the Android push server address.
  3. In Type, select FQDN.
  4. In FQDN, enter fcm.googleapis.com.
  5. Click OK.
  6. Click Create New.
  7. In Name, enter a name for the iOS push server address.
  8. In Type, select FQDN.
  9. In FQDN, enter gateway.push.apple.com.
  10. Click OK.

To use the Android and iOS push server addresses in an outbound firewall policy

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. In Incoming interface, enter the port connected to FortiVoice.
  3. In Outgoing interface, enter the WAN port.
  4. In Source, select all.
  5. In Destination, select the FQDN addresses that you created for the Android and iOS push servers.
  6. Configure the rest of the policy, as needed.
  7. Click OK.

    You have completed the configuration of FortiGate for SIP over TCP or UDP.

  8. Go to Installing and configuring the FortiFone softclient for mobile.

Configuring FortiGate for SIP over TCP or UDP

After Configuring FortiFone softclient settings on FortiVoice, perform the following procedures to configure a FortiGate device for SIP over TCP or UDP:

If your FortiVoice deployment is using SIP over TLS instead, go to Configuring FortiGate for SIP over TLS.

Configure system settings for SIP over TCP or UDP

  1. On FortiGate, go to System > Feature Visibility.
  2. Under Additional Features, enable Multiple Security Profiles and VoIP.
  3. Click Apply.

Create virtual IP addresses for SIP over TCP or UDP

  1. On FortiGate, go to Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. Create virtual IPs for the following services that map to the IP address of the FortiVoice:
    • External SIP TCP port of FortiVoice. If the sip_mobile_default profile has been modified to use UDP instead, configure the VIP for the external SIP UDP port.
    • External HTTPS port of FortiVoice. The HTTPS port is used for the softclient login, call logs, and contacts download from the FortiVoice phone system.
  4. To create a virtual IP group, click Create New and select Virtual IP Group.
  5. Add the two newly created virtual IPs.

Configure VoIP profile and NAT traversal settings for SIP over TCP or UDP

  1. On FortiGate, open the CLI Console from the GUI banner.
  2. Create a VoIP protection profile and enable hosted NAT traversal (HNT) and restricted HNT source address. If the FortiVoice softclient is behind a non-SIP-aware firewall, HNT addresses the SDP local address problem.

    This VoIP protection profile will be added to the inbound firewall policy to prevent potential one-way audio issues caused by NAT.

    VoIP profile command example for SIP over TCP or UDP

    config voip profile

    edit "SIP_IN"

    config sip

    set hosted-nat-traversal enable

    end

    next

    end

  3. If you are using a non-standard external port, update the system settings by entering the following commands. Both command examples use port 5566.

    External port setting example for TCP

    config system settings

    set sip-tcp-port 5566

    end

    External port setting example for UDP

    config system settings

    set sip-udp-port 5566

    end

  4. Set the internet facing interface as external. HNT requires an external port to work. The command example uses port2 as the internet facing interface.

    config system interface

    edit "wan1"

    set external enable

    next

    end

Create an inbound firewall policy for SIP over TCP or UDP

  1. On FortiGate, go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Set Incoming Interface to the internet-facing interface and Outgoing Interface to the internal/LAN interface.
  4. Set Source to all.
  5. Set Destination to the virtual IP group created in Create virtual IP addresses for SIP over TCP or UDP.
  6. Set Schedule to always.
  7. Set Service to ALL.
  8. Disable NAT.
  9. Enable VoIP and select the VoIP profile created in Configure VoIP profile and NAT traversal settings for SIP over TCP or UDP.

Create an outbound firewall policy for FortiVoice to access the Android or iOS push server

FortiVoice requires outbound access to the Android and iOS push servers.

If FortiGate has an outbound firewall policy that allows FortiVoice to access everything on the internet, then you do not need to create an additional firewall policy. You have completed the FortiGate configuration for SIP over TLS. Go to Installing and configuring the FortiFone softclient for mobile.

If FortiGate does not have an outbound firewall policy that allows FortiVoice to access everything on the internet, perform the steps to create the FQDN addresses and the specific outbound firewall policies to allow FortiVoice to access the Android and iOS push servers.

To create FQDN addresses for Android and iOS push servers

  1. On FortiGate, go to Policy & Objects > Addresses and click Create New.
  2. In Name, enter a name for the Android push server address.
  3. In Type, select FQDN.
  4. In FQDN, enter fcm.googleapis.com.
  5. Click OK.
  6. Click Create New.
  7. In Name, enter a name for the iOS push server address.
  8. In Type, select FQDN.
  9. In FQDN, enter gateway.push.apple.com.
  10. Click OK.

To use the Android and iOS push server addresses in an outbound firewall policy

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. In Incoming interface, enter the port connected to FortiVoice.
  3. In Outgoing interface, enter the WAN port.
  4. In Source, select all.
  5. In Destination, select the FQDN addresses that you created for the Android and iOS push servers.
  6. Configure the rest of the policy, as needed.
  7. Click OK.

    You have completed the configuration of FortiGate for SIP over TCP or UDP.

  8. Go to Installing and configuring the FortiFone softclient for mobile.