Introduction
This document describes the configuration of FortiGate 80C Firewall. In general Fortigate routers are known to be complicated to configure correctly for use as a gateway in front of a ECLOUD. Please note that we cannot assist you in the configuration of your firewall. The status of this type of firewall is “Not Supported”.
Step 1: Disable SIP ALG
The SIP ALG functionality seems to be harder to disable (even if it is disabled via WEB Interface) and varies greatly between models. In addition, the type of NAT may break correct functionality or re-enable SIP ALG. On devices running FortiOs, you will need to disable this in multiple places as shown below:
- Open the Fortigate CLI from the dashboard.
- Enter the following commands in FortiGate’s CLI:
config system settings
set sip-helper disable
set sip-nat-trace disable
reboot the device
- Reopen the FortiGate CLI and enter the following commands (do not enter text after //)
config system session-helper
show //you need to find the entry for SIP, usually 12, but it may vary
delete 12 //or the number that you identified from the previous command
- Create a rule and set the “Protection Profile” to “Unfiltered”
- Reboot the device and you should be ready to use your FortiGate 80C with the ECLOUD Phone System without any issues.
Step 2 – Removing the Session Helper
- Run the following commands:
config system session-helper
Show
- Amongst the displayed settings will be one similar to the following example:
edit 13
set name sip
set protocol 17
set port 5060
- In this example the next commands would be:
delete 13
end
Step 3 – Change the default –voip –alg-mode
- Run the following commands:
config system settings
set default-voip-alg-mode kernel-helper based
end
- If Version 5.2 and above continue
config voip profile
edit default
config sip
set status enable/disable
end
end
Step 4 – Clear Sessions or Reboot
To clear sessions:
Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.
- diagnose system session filter …
See the related article “Troubleshooting Tip : FortiGate Firewall session list information“.
The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.
- diagnose system session clear
Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:
- execute reboot
Step 5:Validating Your Setup
Log into your ECLOUD Management Console → Dashboard → Firewall and run the ECLOUD Firewall Checker. This will validate if your firewall is correctly configured for use with ECLOUD.