Fortigate SIP setup for simple SIP client to Internet VoIP carrier

This sample has been tested on FortiOS 5.2.

This is a very simple situation.  The Fortigate is a home/SOHO internet router.  In the LAN, there is a SIP client to connect to the Voice Service Provider (VSP) in the Internet.

[LAN: SIP Client]  --> [Fortigate] --> [Internet: VSP]

Client have been tested including Zoiper and DLink ATA.

There are two modes for SIP:

  1. The SIP session helper
  2. The SIP ALG
For this usage, I will use SIP session helper.

  1. There is no need for any inbound (i.e. WAN to LAN) firewall rule to allow such traffic.  Remove these unnecessary rules.

  1. Open the CLI
  2. Enable VoIP to use session helper
    FWF60C # config system settings
    FWF60C (settings) # set default-voip-alg-mode kernel-helper-based // used by FortiOS 5.2
    FWF60C (settings) # set sip-helper disable //  enabled by default, but disable works for me
    FWF60C (settings) # set sip-nat-trace disable  //  enabled by default, but disable works for me
    FWF60C (settings) # end
  3. Check if  SIP session helper is available.  If it is not there, add it back.

    FWF60C # show system session-helper
    config system session-helper
        edit 13
            set name sip
            set protocol 17
            set port 5060
  4. Add a firewall policy: LAN to WAN.  Enable NAT.  Do not turn on VoIP.
  5. Reboot the unit
Commands for troubleshooting:

Enable Debug messages:
diagnose debug disable
diagnose debug reset
diagnose debug application sip -1
diagnose debug enable

System SIP handling status:
diagnose sys sip-proxy calls list
diagnose sys sip-proxy stats {clear | list}
diagnose sys sip-proxy stats
diagnose sys sip status
diagnose sys sip dialog list
diagnose sys sip mapping list

Enhancing SIP pinhole security
To protect the SIP gateway from UDP 65476 attack, we need to enable strict-register for all SIP profile.

config voip profile
edit Profile_name
config sip
set strict-register enable



Popular Posts