Fortigate SIP setup for simple SIP client to Internet VoIP carrier
This sample has been tested on FortiOS 5.2.
Situation:
This is a very simple situation. The Fortigate is a home/SOHO internet router. In the LAN, there is a SIP client to connect to the Voice Service Provider (VSP) in the Internet.
[LAN: SIP Client] --> [Fortigate] --> [Internet: VSP]
Client have been tested including Zoiper and DLink ATA.
There are two modes for SIP:
Prepare:
Steps
Enable Debug messages:
diagnose debug disable
diagnose debug reset
diagnose debug application sip -1
diagnose debug enable
System SIP handling status:
diagnose sys sip-proxy calls list
diagnose sys sip-proxy stats {clear | list}
diagnose sys sip-proxy stats
diagnose sys sip status
diagnose sys sip dialog list
diagnose sys sip mapping list
Enhancing SIP pinhole security
To protect the SIP gateway from UDP 65476 attack, we need to enable strict-register for all SIP profile.
In CLI:
Reference:
http://docs.fortinet.com/uploaded/files/2148/fortigate-voip-sip-522.pdf
Situation:
This is a very simple situation. The Fortigate is a home/SOHO internet router. In the LAN, there is a SIP client to connect to the Voice Service Provider (VSP) in the Internet.
[LAN: SIP Client] --> [Fortigate] --> [Internet: VSP]
Client have been tested including Zoiper and DLink ATA.
There are two modes for SIP:
- The SIP session helper
- The SIP ALG
Prepare:
- There is no need for any inbound (i.e. WAN to LAN) firewall rule to allow such traffic. Remove these unnecessary rules.
Steps
- Open the CLI
- Enable VoIP to use session helper
FWF60C # config system settings
FWF60C (settings) # set default-voip-alg-mode kernel-helper-based // used by FortiOS 5.2
FWF60C (settings) # set sip-helper disable // enabled by default, but disable works for me
FWF60C (settings) # set sip-nat-trace disable // enabled by default, but disable works for me
FWF60C (settings) # end - Check if SIP session helper is available. If it is not there, add it back.
FWF60C # show system session-helper
config system session-helper
.....
edit 13
set name sip
set protocol 17
set port 5060
next
.... - Add a firewall policy: LAN to WAN. Enable NAT. Do not turn on VoIP.
- Reboot the unit
Enable Debug messages:
diagnose debug disable
diagnose debug reset
diagnose debug application sip -1
diagnose debug enable
System SIP handling status:
diagnose sys sip-proxy calls list
diagnose sys sip-proxy stats {clear | list}
diagnose sys sip-proxy stats
diagnose sys sip status
diagnose sys sip dialog list
diagnose sys sip mapping list
Enhancing SIP pinhole security
To protect the SIP gateway from UDP 65476 attack, we need to enable strict-register for all SIP profile.
In CLI:
config voip profile
edit Profile_name
config sip
set strict-register enable
end
Reference:
http://docs.fortinet.com/uploaded/files/2148/fortigate-voip-sip-522.pdf
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/Enhancing%20SIP%20pinhole%20security.htm
Comments