3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

FortiGate 80C Firewall Configuration with the 3CX

How to Configure a FortiGate 80C Firewall with the 3CX

On this topic

How to Configure a FortiGate 80C Firewall with the 3CX

Introduction

Status

Disclaimer

Configuring FortiGate 80C with 3CX PBX

How to Disable SIP ALG manually on Fortinet / FortiGate

Step 1 - Removing the session helper

Step 2 - Change the default –voip –alg-mode

Step 3 - Either clear sessions or reboot to make sure changes take effect

Introduction

SIP ALG is used to avoid configuring Static NAT on a router. Its implementation, however, varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. The FortiGate 80C has a Built-In SIP ALG Proxy which must be disabled manually.

Status

In general Fortigate routers are known to be complicated to configure correctly for use as a gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connections. The SIP ALG functionality seems to be harder to disable (even if it is disabled via WEB Interface) and varies greatly between models. In addition the type of NAT may break correct functionality or re-enable SIP ALG.

The status of this type of firewall is “Not Supported”.

Nat Type: Not tested

Disclaimer

Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be done by the System-Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configuring FortiGate 80C with 3CX PBX

The following steps take you through how to do this:

Fortigate

  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:
  • config system settings
  • set sip-helper disable
  • set sip-nat-trace disable
  • reboot the device
  1. Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)
  • config system session-helper
  • show    //you need to find the entry for SIP, usually 12, but it may vary
  • delete 12     //or the number that you identified from the previous command

Fortigate

  1. Create a rule and set the “Protection Profile” to “Unfiltered”
  2. Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.

How to Disable SIP ALG manually on Fortinet / FortiGate

SIP ALG is used to try and avoid configuring Static NAT on a router. Its implementation, however, varies from router to router, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. In general, you would want to disable SIP ALG and configure one to one port mapping on the router.

On devices running FortiOs, you will need to disable this in multiple places as shown below:

Step 1 - Removing the session helper

Run the following commands:

config system session-helper

show

Amongst the displayed settings will be one similar to the following example:

edit 13

set name sip

set protocol 17

set port 5060

In this example the next commands would be:

delete 13

end

Step 2 - Change the default –voip –alg-mode

Run the following commands:

config system settings

set default-voip-alg-mode kernel-helper based

end

(Version 5.2 and above for this part)

config voip profile

edit default

config sip

set status enable/disable

end

end

Step 3 - Either clear sessions or reboot to make sure changes take effect

  1. To clear sessions

Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.

diagnose system session filter ...

See the related article "Troubleshooting Tip : FortiGate Firewall session list information".

The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.

diagnose system session clear

  1. Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:

execute reboot

You might also be interested in:

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud