Fortinet white logo
Fortinet white logo

FortiVoice Cookbook

Configuring additional settings

Configuring additional settings

In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

This recipe includes the following settings:

Call restrictions and common phones

Restrictions can be put in place based on call types, such as blocking international or toll calls.

  1. Go to Security > User Privilege > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Call Restriction and configure the settings accordingly.

Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

  1. Set the appropriate call restriction to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

Interface access

Any access methods that are not being used on the FortiVoice device should be disabled.

  1. Go to System > Network > Network.
  2. Select an interface and click Edit.
  3. Under Advanced Setting, disable any unused Access protocols.

Guest provision protocol

Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

  1. Go to System > Advanced > Auto Provisioning.
  2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

Prohibited prefixes

You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

  1. Go to Phone System > Setting > Option.
  2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

Trusted hosts for administrators

Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to System > Administrator > Administrator.
  2. Select the administrator and click Edit.
  3. Set Trusted hosts type to the local trusted IP subnet (define as many as required) or RFC 1918 predefine.

Trusted hosts for extensions

Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to Phone System > Profile > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

Unused administrators

Remove administrator profiles that are not in use.

  1. Go to System > Administrator > Administrator.
  2. Select the administrators that are not active and click Delete.

Unused extensions

To avoid the unintentional use of unused extensions, remove those extensions.

  1. Go to Extension > Extension > IP Extension.
  2. Disable the extensions that are not active.

Verify SIP user agent

Restrict phone registration so only phone requests that match the system configured phone type are allowed.

  1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
  2. Enter the following commands:
  3. config system sip-setting

    set verify-user-agent enable

    end

Blocking numbers

If you find any extension has been suffering from attacks by other devices, you may block it to stop the attacks.

  1. Go to Security > Blocked Number.
  2. Click New.
  3. Enter the extension you want to block.
  4. Click Create.
  5. To unblock a number, select it in the list and click Delete.

Unassigned phones

If you find the number of phones that are auto discovered but have not been assigned extensions are abnormally high, it may mean the FortiVoice unit is under MAC address flooding attack and its performance will be compromised. You can remove the phones.

  1. Go to Dashboard > Status.
  2. At the bottom of System Information, find Phones not assigned.
  3. Click the Remove all not assigned phones icon to delete the phones as required.

Configuring additional settings

Configuring additional settings

In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.

This recipe includes the following settings:

Call restrictions and common phones

Restrictions can be put in place based on call types, such as blocking international or toll calls.

  1. Go to Security > User Privilege > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Call Restriction and configure the settings accordingly.

Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.

  1. Set the appropriate call restriction to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.

Interface access

Any access methods that are not being used on the FortiVoice device should be disabled.

  1. Go to System > Network > Network.
  2. Select an interface and click Edit.
  3. Under Advanced Setting, disable any unused Access protocols.

Guest provision protocol

Using HTTPS to provision FortiFone devices with FortiVoice is recommended.

  1. Go to System > Advanced > Auto Provisioning.
  2. Under Auto Provisioning, set Provisioning protocol to HTTPS.

Prohibited prefixes

You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.

  1. Go to Phone System > Setting > Option.
  2. Under Number Management, add all undesirable prefixes to the System prohibited prefix section.

Trusted hosts for administrators

Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to System > Administrator > Administrator.
  2. Select the administrator and click Edit.
  3. Set Trusted hosts type to the local trusted IP subnet (define as many as required) or RFC 1918 predefine.

Trusted hosts for extensions

Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.

  1. Go to Phone System > Profile > User Privilege.
  2. Select a user privilege and click Edit.
  3. Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).

Unused administrators

Remove administrator profiles that are not in use.

  1. Go to System > Administrator > Administrator.
  2. Select the administrators that are not active and click Delete.

Unused extensions

To avoid the unintentional use of unused extensions, remove those extensions.

  1. Go to Extension > Extension > IP Extension.
  2. Disable the extensions that are not active.

Verify SIP user agent

Restrict phone registration so only phone requests that match the system configured phone type are allowed.

  1. Go to Dashboard > Console and click inside the window to connect to the CLI console.
  2. Enter the following commands:
  3. config system sip-setting

    set verify-user-agent enable

    end

Blocking numbers

If you find any extension has been suffering from attacks by other devices, you may block it to stop the attacks.

  1. Go to Security > Blocked Number.
  2. Click New.
  3. Enter the extension you want to block.
  4. Click Create.
  5. To unblock a number, select it in the list and click Delete.

Unassigned phones

If you find the number of phones that are auto discovered but have not been assigned extensions are abnormally high, it may mean the FortiVoice unit is under MAC address flooding attack and its performance will be compromised. You can remove the phones.

  1. Go to Dashboard > Status.
  2. At the bottom of System Information, find Phones not assigned.
  3. Click the Remove all not assigned phones icon to delete the phones as required.