Objective

Configure Fortinet Fortigate 60D router to use VoIP Office services. 

Applies To

• Fortinet Fortigate 60D

Procedure

Important Information about Fortigate Firewalls and VoIP Office Service

After testing the Fortigate series firewalls and working with Fortigate support, Support Engineers have found there are issues with the NAT configuration on these devices.

While the Firewall is not unsupported, users with these devices will run into the following issues using a Fortigate:

1. Dropped calls
2. One way or no way audio 
3. Potential device registration issues
4. Duplicate SIP Ports and port shuffling

To mitigate some of these issues, Strict Register should be disabled to stop all phones from using a pinhole through port 65476 (external) and 5060 (internal). After this is complete if issues persist,

Delete SIP Firewall

Access the CLI cosole in the device GUI bu clicking >_ near the upper right hand corner 

1. In the Command Line Interface (CLI) run the following commands:   
   • config system session-helper
   • show
     

1. Notice that edit 13 contains SIP.
2. Enter the following commands:    
   • delete 13
   • end

Disable SIP Helper

1. In the Command Line Interface (CLI) run the following commands:   
   • config system settings
   • set default-voip-alg-mode kernel-helper-based
   • set sip-helper disable
   • set sip-nat-trace disable
   • end
     

1. Reboot the router using the web GUI under Status, or in the CLI with the following command:    
   • execute reboot

   
   

Configure Traffic Shaping and VoIP

1. In the web GUI, go to System > Feature Select > Additional Features.
   

1. Toggle Traffic Shaping and VoIP on.
2. Click Apply.

Disable Strict Register

Strict Register forces VoIP devices through a pinhole at port 65476 and will cause duplicate porting to occur.

To disable this setting run the following command in the Command Line Interface (CLI):

• config voip profile
• edit "Profile Name"
• config sip
• set strict-register disable
• end

Note: The VoIP profile name can be found under Security Profile -> VoIP. Please note if these settings do not persist through a reboot a factory reset or other troubleshooting steps may be needed on the Fortigate itself with Fortigate support.

Create VoIP Office Objects

1. In the web GUI, go to Policy & Objects.
2. Select Objects, then Addresses.
3. Click Create New, then click Address.
4. You will need to add each subnet in the format xxx.xx.xx.x/xx.
5. Do this for each of the VoIP Office subnets 

Group the VoIP Office Networks

1. In the web GUI, go to Policy & Objects.
2. Select Objects, then Addresses.
3. Click Create New, then click Address Group.
4. Create a Group Name.
5. Click Members, click each subnet, then click OK.

Set High-Priority Traffic Guarantee

1. In the web GUI, go to Policy & Objects.
2. Select Traffic Shapers.
3. Edit the existing High Priority Traffic Shaper.
4. Set Type to Shared.
5. Set Apply Shaper to Per Policy.
6. Set Traffic Priority to High.
7. Check Max Bandwidth and set to 1048576 Kb/s.
8. Check Guaranteed Bandwidth and set to 1000 Kb/s.
9. Click OK.
   

Create a New Policy

1. In the web GUI, go to Policy & Objects > Policy.
2. Select IPv4.
3. Create a new policy.
4. Set the following options:    
   • Incoming Interface: Internal
   • Source Address: All
   • Outgoing Interface: WAN
   • Destination Address: VoIP Office-networks
   • Service: All
   • Service: SIP, RTSP
5. Click OK.
   

Arrange Policy

1. In the web GUI, go to Policy & Objects > IPv4 Policy.
2. Double-click the VoIP Office policy.
3. Drag and drop the All VoIP Office-Networks policy to the top spot.