How to Configure a FortiGate 80C Firewall with the 3CX Phone System

Introduction

SIP ALG is used to avoid configuring Static NAT on a router. Its implementation, however, varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. The FortiGate 80C has a Built-In SIP ALG Proxy which must be disabled manually.

fortigate 80c

Status

In general Fortigate routers are know to be complicated to configure correctly for the use as a gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. The SIP ALG functionality seams to be harder to disable (even if it is disabled via WEB Interface) and varies greately between models. In addition the type of NAT may break correct functionality or re-enable SIP ALG.

The status of this type of firewall is “Not Supported”.
Nat Type: Not tested

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read http://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configuring FortiGate 80C with 3CX Phone System

The following steps take you through how to do this:

Fortigate

  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:
    1. config system settings
    2. set sip-helper disable
    3. set sip-nat-trace disable
    4. reboot the device
  3. Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)
    1. config system session-helper
    2. show    //you need to find the entry for SIP, usually 12, but it may vary
    3. delete 12     //or the number that you identified from the previous command


      Fortigate
  4. Create a rule and set the “Protection Profile” to “Unfiltered”
  5. Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.

Liked this article?


Get notified of new articles
or share
You might also be interested in:
  1. With other PBX’es you’ll probably have to setup a 1-to-1 NAT (where ports are not rewritten). This assumes that the PBX is behind the FortiGate firewall.

    June 8, 2013 at 12:05 am
  2. jasit

    Can you please expand on your profile settings, will also need to know what version of firmware you are using on the 80c, the Protection Profile is not on every version.

    June 19, 2013 at 6:42 pm