SIP ALG is used to avoid configuring Static NAT on a router. Its implementation, however, varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. The FortiGate 80C has a Built-In SIP ALG Proxy which must be disabled manually.
In general Fortigate routers are know to be complicated to configure correctly for the use as a gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. The SIP ALG functionality seams to be harder to disable (even if it is disabled via WEB Interface) and varies greately between models. In addition the type of NAT may break correct functionality or re-enable SIP ALG.
The status of this type of firewall is “Not Supported”.
Nat Type: Not tested
Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.
Configuring FortiGate 80C with 3CX Phone System
The following steps take you through how to do this:
- Open the Fortigate CLI from the dashboard.
- Enter the following commands in FortiGate’s CLI:
- config system settings
- set sip-helper disable
- set sip-nat-trace disable
- reboot the device
- Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)
- Create a rule and set the “Protection Profile” to “Unfiltered”
- Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.