Cytracom UCaaS: Setting up a FortiGate firewall

Topic

This article describes how to connect FortiGate firewalls as part of your Cytracom UCaaS system.

Environment

  • Cytracom UCaaS

Description

Refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Before you begin

  • Ensure the modem or other ISP-provided equipment is in bridge mode
  • If the IP address is static, you must  load this information into the FortiGate.
  • In most cases, the router can be accessed locally at 192.168.1.99.

Connect the FortiGate Firewall

Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or to a switch connected to the router.

Configure the addresses

In the Fortigate UI:

1. Navigate to Policy & Objects

2. Scroll down and select the Addresses option. and configure the settings as follows:

  • Name: Cytracom Voice 1.
  • Color: Blue (optional).
  • Type: Range.
  • IP Range: 209.105.249.194 - 209.105.249.252
  • Interface: Any.
  • Show in Address List: Make sure this is checked.
  • Comments: Cytracom VoIP (optional).

When finished, click OK at the bottom of the window to save.   

UCaaS_FortigateSetup_InitialConfig.png

Figure 1: Address configuration (click to enlarge)

Create the additional IP address ranges

Use the procedure above to crate the following additional IP address ranges:

  • Cytracom Voice 2(Range): 184.175.130.161 - 184.175.130.186
  • Cytracom Voice 3(Range): 205.142.242.20 - 205.142.243.254
  • Cytracom Web(Range): 3.208.72.128 - 3.208.72.158
  • Firmware Server (Subnet): 52.90.29.99/32

Configure the Address Group

1. In the FortiGate UI, navigate to Policy & Objects, then select the Addresses option.

2. Select Create NewAddress Group.

3. Configure the Address Group options as follows:

  • Name: Cytracom Service Group
  • Color: blue (optional)
  • Members: Cytracom voice 1, Cytracom Voice 2, Cytracom Voice 3, Cytracom Web, and Cytracom Firmware. 

When finished, click OK in the bottom right-hand portion of the window. 

UCaaS_FortigateSetup_AddreesGrouos.png

Figure 2: Address group configuration (click to enlarge)

Create the incoming and outgoing policies

Create the outgoing policy

1, In the FortiGate UI, navigate to Policy & Objects, then scroll select IPv4 Policy.

2. Configure the outbound policy options as follows:

  • Name: Cytracom Out Policy (suggested)
  • Incoming interface: LAN
  • Outgoing interface: WAN
  • Source: All
  • Destination: Cytracom Service Group
  • Schedule: Always
  • Service: All
  • Action: ACCEPT
  • NAT: On (toggled)
  • IP Pool Configuration: Use Outgoing Interface Address
  • Log Allowed Traffic: Enabled (optional)
  • Enable this policy: On (toggled).

UCaaS_FortigateSetup_OutgoingPolicy.png

Figure 3: Outbound policy configuration (click to enlarge)

Create the inbound policy

In most cases, an inbound policy is not needed. You will need this if you catch blocks or explicitly block traffic inbound. 

1, In the FortiGate UI, navigate to Policy & Objects, then select IPv4 Policy.

2. Configure the inbound policy options as follows:

  • Name: Cytracom In Policy (suggested)
  • Incoming interface: WAN
  • Outgoing interface: LAN
  • Source: Cytracom Service Group
  • Destination: All
  • Schedule: Always
  • Service: All
  • Action: ACCEPT
  • NAT: On (toggled)
  • IP Pool Configuration: Use Outgoing Interface Address
  • Log Allowed Traffic: Enabled (optional)
  • Enable this policy: On (toggled).

UCaaS_FortigateSetup_InboundPolicy.png

Figure 4: Inbound policy configuration (click to enlarge)

Create the traffic shaper

1. In the FortiGate UI, navigate to Policy & Objects, then select Traffic Shapers.

2. Click Add new shaper, then configure the options as follows:

  • Type: Shared
  • Name: WAN
  • Traffic priority: High
  • Guaranteed bandwidth: 90 kbps multiplied by the number of phones on the network. 

When finished, click OK in the bottom right-hand portion of the window. 

UCaaS_FortigateSetup_TrafficShaper.png

Figure 5: Traffic shaper configuration (click to enlarge)

Create the traffic shaping policy

1. In the FortiGate UI, navigate to Policy & Objects, then select Traffic Shaping Policy.

2. Configure DNS Filter options as follows:

  • Block DNS requests to known botnet C&C: Enabled
  • FortiGuard category based filter: Choose your filter level
  • Static Domain Filter: Enabled
  • Redirect blocked DNS requests: Enabled
  • Redirect Portal IP: Specify an IP address if you have one for this purpose
  • Outgoing interface: Any
  • Shared Shaper: Enabled (Select Cytracom Traffic Shaper)
  • Reverse Shaper: Enabled (Select Cytracom Traffic Shaper)

When finished, click OK in the bottom right-hand portion of the window.

UCaaS_FortigateSetup_TShaperPolicy.png

Figure 6: Traffic shaping policy configuration (click to enlarge)

Configure DNS Filter and Web Filter

Configure DNS

1. In the FortiGate UI, navigate to Security Profiles, then select Static Domain Filter.

2. Configure DNS Filter options as follows:

  • Block DNS requests to known botnet C&C: Enabled.
  • FortiGuard category based filter: Choose your filter level
  • Static Domain Filter: Enabled..
  • Redirect blocked DNS requests: Enabled.
  • Redirect Portal IP: Specify an IP address if you have one for this purpose.
  • Leave all other setting at their default.

When finished, click OK in the bottom right-hand portion of the window.

UCaaS_Fortigate setup_DNSFilter.png

Figure 7: DNS Filter configuration (click to enlarge)

Configure the Web Filter

1. In the FortiGate UI, navigate to Security Profiles, then select Web Filter.

2. Configure Web Filter options as follows:

  • FortiGuard category based filter: Enabled. Choose your filter level.
  • Static URL Filter: Enabled.
  • Leave all other settings at their default. 

When finished, click OK in the bottom right-hand portion of the window.

UCaaS_FortigateSetup_WebFilter.png

Figure 8: Web Filter configuration (click to enlarge)

Configure SIP

1. Open a Terminal session.

2. Using either Putty or the built-in Command Line to set the UDP Timeout to the desired value for SIP:

FGT30# config sys global

FGT30(global) # set udp-idle-timer 180

FGT30(global) # end

FGT30#

UCaaS_FortigateSetup_SetSIPTimeout.png

Figure 9: Setting UDP timeout (click to enlarge)

3. Using either Putty or the built-in Command Line to disable the SIP Application Layer Gateway (ALG).

FGT30# config system session-helper

The output will be similar to (figure) below. Find the entry for SIP (in this example it is edit 13, but it may be a different edit number) 

CLI_SIP_ALG_1.png

Figure 10: Finding the SIP ALG entry (click to enlarge)

4. Delete the SIP ALG entry.

FGT30E5618064903 (session-helper) # delete 13

FGT30E5618064903 (session-helper) # end

CLI_SIP_ALG_2.png

Figure 11: Deleting the SIP ALG entry (click to enlarge)

Your FortiGate Firewall is now properly configured for Cytracom UCaaS. 

Still have questions? Click here to learn how to contact Cytracom Technical Support.

Was this article helpful?
12 out of 13 found this helpful