Known Issues:

  1. SIP ALG is enabled by default, but it can be disabled.
     
  2. RTP processing causes call and fax audio issues. Therefore, that setting needs to be disabled.
     
  3. DNS relay/proxy is disabled by default but it can be enabled. You will need to verify it is disabled to prevent just Polycom phones from experiencing intermittent DNS lookup timeouts.
     
  4. If the DHCP DNS Servers are set to the same addresses as the System (WAN) DNS servers, it activates a FortiGate software issue that causes DNS Server addresses (DHCP option 6) to not be passed to the phones. 
    • This causes Vertical phones to get stuck in Configuring mode.
    • It causes Polycom phones to show Line Unregistered, URL Calling Is Disabled, Unknown Network Error, Invalid Hostname, a Red Triangle with an Exclamation point in the middle, and other Polycom errors that cause the phone to be unable to make/receive calls.
       
  5. All inbound and outbound audio can be blocked by the firewall’s application control settings.

Resolution: 

  1. The instructions below may vary depending on the model and firmware version of your FortiGate device. 
  2. Log in to the FortiGate.
    • If you cannot log in or cannot find the settings below, you will need to email the instructions below to your IT or contact FortiGate Technical Support for help making the changes.
  3. Open the command-line interface (CLI) from the dashboard or connect via an SSH client.
  4. Enter the following commands in FortiGate’s CLI:

      1. Use the following commands for a device on FortiOS starting at 6.2.2
      2. config system settings
      3. set sip-expectation disable
      4. set sip-nat-trace disable
      5. set default-voip-alg-mode kernel-helper-based
      6. end
    • For devices below FortiOS version 6.2.2 use the following commands
      1. config system settings
      2. set sip-helper disable
      3. set sip-nat-trace disable
      4. set default-voip-alg-mode kernel-helper-based
      5. end
    • If you encounter an error while entering set default-voip-alg-mode kernel-helper-based go ahead and ignore it
    • The rest of the configuration will be the same for all FortiOS versions
    • Run the following commands
      1. config system session-helper
      2. show 
        1. Here you will want to find the entry for SIP, this is typically 12 but it may differ depending on the software version and model
      3. delete 12
        1.  Alternatively, use the entry you found in the previous step
      4. end
    • Enter the following commands in the CLI to disable RTP processing
      1. config voip profile
      2. edit default
      3. config sip
      4. set rtp disable
      5. end
      6. end
    • Once done go ahead and reboot the device, Fortigate firewalls do not require a reboot when you change configuration but in this case, we will need the reboot to activate the session helper changes
    • Lastly, reboot all of your SIP Devices/Phones
       
  5. The following step is only needed if you have or plan to purchase Polycom phones and you are using your FortiGate as your DHCP server on your local network:
    1. In the FortiGate web interface -> expand the Network section on the left-hand side of the page -> click on Interface.
      • Under DHCP Server > DNS Server > make sure the Same as System DNS is selected. 
    2. Under the Network section on the left-hand side of the page > click on Interface> DNS Settings > set it to Specify > set the following:
      • Primary DNS Server: 8.8.8.8
      • Secondary DNS Server: 8.8.4.4
    3. Click Apply to save.
      • If you cannot find the DNS settings above, then try to change the DNS settings using the command-line interface (CLI):
        • Go back to the dashboard and open the CLI and enter the following commands:
          • config system dns
          • set primary 8.8.8.8
          • set secondary 8.8.4.4
          • set cache disable
          • end
    4. Reboot the FortiGate device again and all of the phones on the network.
    5. You may also need to reboot all your computers and other devices on your network if they lose the internet connection to clear their DNS cache and/or you can run the following Windows command to clear the DNS cache manually:
      • ipconfig /flushdns
  6. Select Security Profile > Application Control > Uncheck Video/Audio and save your changes.
  7. There may be other settings that they need to configure depending on the FortiOS version that you're using. If firewall-related phone issues persist, contact your IT or FortiGate Technical Support.

Note: if you are running FortiOS 5.2 or 5.4 you will need to disable VoIP inspection. To do so, refer to the steps described in FortiNet Knowledge Base Article Disabling VoIP Inspection.

 

Is this answer helpful?

Haven't found what you're looking for? Search the Support Center!
Print Article
Article Information

Article ID: 11013

Last updated on: 12/12/2023 07:52 AM

Product: {{item.Name}}{{$index < (answer.Products.length-1) ? ', ' : ''}}

Partner Article

Tags: {{item.trim()}}{{$index < (answer.Keywords.length-1) ? ', ' : ''}}

Attachments:
Related Articles