Configure your Fortigate Firewall for use with the 3CX PBX
3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

FortiGate 80C Firewall Configuration with the 3CX

Configuring a FortiGate 80C Firewall with 3CX

Configuring a FortiGate 80C Firewall with 3CX

Introduction

Step 1: Disable SIP ALG

Step 2 - Removing the Session Helper

Step 3 - Change the default –voip –alg-mode

Step 4 - Clear Sessions or Reboot

Step 5:Validating Your Setup

Introduction

This document describes the configuration of FortiGate 80C Firewall.  In general Fortigate routers are known to be complicated to configure correctly for use as a gateway in front of a 3CX.   Please note that we cannot assist you in the configuration of your firewall. The status of this type of firewall is “Not Supported”.

Step 1: Disable SIP ALG

The SIP ALG functionality seems to be harder to disable (even if it is disabled via WEB Interface) and varies greatly between models. In addition, the type of NAT may break correct functionality or re-enable SIP ALG.  On devices running FortiOs, you will need to disable this in multiple places as shown below:

  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:

config system settings

set sip-helper disable

set sip-nat-trace disable

reboot the device

  1. Reopen the FortiGate CLI and enter the following commands (do not enter text after //)

config system session-helper

show            //you need to find the entry for SIP, usually 12, but it may vary

delete 12            //or the number that you identified from the previous command

  1. Create a rule and set the “Protection Profile” to “Unfiltered”
  2. Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.

Step 2 - Removing the Session Helper

  1. Run the following commands:

config system session-helper

Show

  1. Amongst the displayed settings will be one similar to the following example:

edit 13

set name sip

set protocol 17

set port 5060

  1. In this example the next commands would be:

delete 13

end

Step 3 - Change the default –voip –alg-mode

  1. Run the following commands:

config system settings

set default-voip-alg-mode kernel-helper based

end

  1. If Version 5.2 and above continue

config voip profile

edit default

config sip

set status enable/disable

end

end

Step 4 - Clear Sessions or Reboot

To clear sessions:

Ideally you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.

  • diagnose system session filter ...

See the related article "Troubleshooting Tip : FortiGate Firewall session list information".

The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.

  • diagnose system session clear

Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:

  • execute reboot

Step 5:Validating Your Setup

Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX. More information about the Firewall Checker can be found here.

You might also be interested in:

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud