Topic
This article describes how to connect FortiGate firewalls as part of your Cytracom UCaaS system.
Environment
- Cytracom UCaaS
Description
Refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Before you begin
- Ensure the modem or other ISP-provided equipment is in bridge mode.
- If the IP address is static, you must load this information into the FortiGate.
- In most cases, the router can be accessed locally at 192.168.1.99.
Connect the FortiGate Firewall
Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or to a switch connected to the router.
Configure the addresses
In the Fortigate UI:
1. Navigate to Policy & Objects
2. Scroll down and select the Addresses option. and configure the settings as follows:
- Name: Cytracom Voice 1.
- Color: Blue (optional).
- Type: Range.
- IP Range: 209.105.249.194 - 209.105.249.252
- Interface: Any.
- Show in Address List: Make sure this is checked.
- Comments: Cytracom VoIP (optional).
When finished, click OK at the bottom of the window to save.
Figure 1: Address configuration (click to enlarge)
Create the additional IP address ranges
Use the procedure above to crate the following additional IP address ranges:
- Cytracom Voice 2(Range): 184.175.130.161 - 184.175.130.186
- Cytracom Voice 3(Range): 205.142.242.20 - 205.142.243.254
- Cytracom Web(Range): 3.208.72.128 - 3.208.72.158
- Firmware Server (Subnet): 52.90.29.99/32
Configure the Address Group
1. In the FortiGate UI, navigate to Policy & Objects, then select the Addresses option.
2. Select Create New→Address Group.
3. Configure the Address Group options as follows:
- Name: Cytracom Service Group
- Color: blue (optional)
- Members: Cytracom voice 1, Cytracom Voice 2, Cytracom Voice 3, Cytracom Web, and Cytracom Firmware.
When finished, click OK in the bottom right-hand portion of the window.
Figure 2: Address group configuration (click to enlarge)
Create the incoming and outgoing policies
Create the outgoing policy
1, In the FortiGate UI, navigate to Policy & Objects, then scroll select IPv4 Policy.
2. Configure the outbound policy options as follows:
- Name: Cytracom Out Policy (suggested)
- Incoming interface: LAN
- Outgoing interface: WAN
- Source: All
- Destination: Cytracom Service Group
- Schedule: Always
- Service: All
- Action: ACCEPT
- NAT: On (toggled)
- IP Pool Configuration: Use Outgoing Interface Address
- Log Allowed Traffic: Enabled (optional)
- Enable this policy: On (toggled).
Figure 3: Outbound policy configuration (click to enlarge)
Create the inbound policy
In most cases, an inbound policy is not needed. You will need this if you catch blocks or explicitly block traffic inbound.
1, In the FortiGate UI, navigate to Policy & Objects, then select IPv4 Policy.
2. Configure the inbound policy options as follows:
- Name: Cytracom In Policy (suggested)
- Incoming interface: WAN
- Outgoing interface: LAN
- Source: Cytracom Service Group
- Destination: All
- Schedule: Always
- Service: All
- Action: ACCEPT
- NAT: On (toggled)
- IP Pool Configuration: Use Outgoing Interface Address
- Log Allowed Traffic: Enabled (optional)
- Enable this policy: On (toggled).
Figure 4: Inbound policy configuration (click to enlarge)
Create the traffic shaper
1. In the FortiGate UI, navigate to Policy & Objects, then select Traffic Shapers.
2. Click Add new shaper, then configure the options as follows:
- Type: Shared
- Name: WAN
- Traffic priority: High
- Guaranteed bandwidth: 90 kbps multiplied by the number of phones on the network.
When finished, click OK in the bottom right-hand portion of the window.
Figure 5: Traffic shaper configuration (click to enlarge)
Create the traffic shaping policy
1. In the FortiGate UI, navigate to Policy & Objects, then select Traffic Shaping Policy.
2. Configure DNS Filter options as follows:
- Block DNS requests to known botnet C&C: Enabled
- FortiGuard category based filter: Choose your filter level
- Static Domain Filter: Enabled
- Redirect blocked DNS requests: Enabled
- Redirect Portal IP: Specify an IP address if you have one for this purpose
- Outgoing interface: Any
- Shared Shaper: Enabled (Select Cytracom Traffic Shaper)
- Reverse Shaper: Enabled (Select Cytracom Traffic Shaper)
When finished, click OK in the bottom right-hand portion of the window.
Figure 6: Traffic shaping policy configuration (click to enlarge)
Configure DNS Filter and Web Filter
Configure DNS
1. In the FortiGate UI, navigate to Security Profiles, then select Static Domain Filter.
2. Configure DNS Filter options as follows:
- Block DNS requests to known botnet C&C: Enabled.
- FortiGuard category based filter: Choose your filter level
- Static Domain Filter: Enabled..
- Redirect blocked DNS requests: Enabled.
- Redirect Portal IP: Specify an IP address if you have one for this purpose.
- Leave all other setting at their default.
When finished, click OK in the bottom right-hand portion of the window.
Figure 7: DNS Filter configuration (click to enlarge)
Configure the Web Filter
1. In the FortiGate UI, navigate to Security Profiles, then select Web Filter.
2. Configure Web Filter options as follows:
- FortiGuard category based filter: Enabled. Choose your filter level.
- Static URL Filter: Enabled.
- Leave all other settings at their default.
When finished, click OK in the bottom right-hand portion of the window.
Figure 8: Web Filter configuration (click to enlarge)
Configure SIP
1. Open a Terminal session.
2. Using either Putty or the built-in Command Line to set the UDP Timeout to the desired value for SIP:
FGT30# config sys global
FGT30(global) # set udp-idle-timer 180
FGT30(global) # end
FGT30#
Figure 9: Setting UDP timeout (click to enlarge)
3. Using either Putty or the built-in Command Line to disable the SIP Application Layer Gateway (ALG).
FGT30# config system session-helper
The output will be similar to (figure) below. Find the entry for SIP (in this example it is edit 13, but it may be a different edit number)
Figure 10: Finding the SIP ALG entry (click to enlarge)
4. Delete the SIP ALG entry.
FGT30E5618064903 (session-helper) # delete 13
FGT30E5618064903 (session-helper) # end
Figure 11: Deleting the SIP ALG entry (click to enlarge)
Your FortiGate Firewall is now properly configured for Cytracom UCaaS.
Still have questions? Click here to learn how to contact Cytracom Technical Support.