How to Configure a FortiGate 80C Firewall with the 3CX
On this topic
SIP ALG is used to avoid configuring Static NAT on a router. Its implementation, however, varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. The FortiGate 80C has a Built-In SIP ALG Proxy which must be disabled manually.
In general Fortigate routers are known to be complicated to configure correctly for use as a gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. The SIP ALG functionality seems to be harder to disable (even if it is disabled via WEB Interface) and varies greatly between models. In addition the type of NAT may break correct functionality or re-enable SIP ALG.
The status of this type of firewall is “Not Supported”.
Nat Type: Not tested
Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be done by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.
Configuring FortiGate 80C with 3CX PBX
The following steps take you through how to do this:
- Open the Fortigate CLI from the dashboard.
- Enter the following commands in FortiGate’s CLI:
- config system settings
- set sip-helper disable
- set sip-nat-trace disable
- reboot the device
- Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)
- config system session-helper
- show //you need to find the entry for SIP, usually 12, but it may vary
- delete 12 //or the number that you identified from the previous command
- Create a rule and set the “Protection Profile” to “Unfiltered”
- Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.
How to Disable SIP ALG manually on Fortinet / FortiGate
SIP ALG is used to try and avoid configuring Static NAT on a router. Its implementation, however, varies from router to router, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. In general, you would want to disable SIP ALG and configure one to one port mapping on the router.
On devices running FortiOs, you will need to disable this in multiple places as shown below:
Step 1 - Removing the session helper
Run the following commands:
config system session-helper
Amongst the displayed settings will be one similar to the following example:
set name sip
set protocol 17
set port 5060
In this example the next commands would be:
Step 2 - Change the default –voip –alg-mode
Run the following commands:
config system settings
set default-voip-alg-mode kernel-helper based
(Version 5.2 and above for this part)
config voip profile
set status enable/disable
Step 3 - Either clear sessions or reboot to make sure changes take effect
- To clear sessions
Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.
diagnose system session filter ...
See the related article "Troubleshooting Tip : FortiGate Firewall session list information".
The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.
diagnose system session clear
- Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is: