How to configure the FortiGate for a 3CX UC system with SIP trunk

Author: vla Category: Fortinet

3CX is a very widespread UC solution (phone system or also known as PBX). FortiGate is a very widespread firewall solution. Both of the products are very good in doing their thing. But to work together, a littlebit of configuration work is needed.

Below you can find an example configuration of a FortiGate firewall that is used to allow the communication from and to the 3CX communication system.

Please note, that this solution is only containing the complementary FortiGate configuration. UTM profiles and other security features are not part of this documentation and are needed to be added later. Also, the DNS configuration is not part of this guide since it may be different from case to case.

For simplicity, we replaced the dedicated FortiGate WAN IP address for the phone solution with the address “123.123.123.123” and the 3CX system DMZ IP address with “10.10.10.10”.

3CX has it’s own guide how to configure the FortiGate for the 3CX appliance. But since several customers have contacted us because this manual was not working as expected, we decided to create our own howto.

We are very interested in your comments about this article. Did you get it to work? What problems did you face? Did you find any mistakes? Please let us know in the comments.

config firewall vip
    edit "VIP_wan-to-3cx"
        set extip "123.123.123.123"
        set mappedip "10.10.10.10"
        set extintf "any"
    next
end
config firewall ippool
    edit "IPPOOL_3cx"
        set startip 123.123.123.123
        set endip 123.123.123.123
    next
end
config firewall service custom
    edit "3CX HTTPS"
        set tcp-portrange 5001
    next
    edit "3CX HTTP"
        set tcp-portrange 5000
    next
    edit "3CX SIP"
        set helper disable
        set tcp-portrange 5061
        set udp-portrange 5060
    next
    edit "3CX STUN"
        set helper disable
        set tcp-portrange 5090
        set udp-portrange 5090
    next
    edit "3CX RTP"
        set helper disable
        set udp-portrange 9000-10999
    next
    edit "3CX WebRTC"
        set tcp-portrange 443
    next
    edit "3CX Server Test"
        set udp-portrange 3478
    next
    edit "3CX SMTP"
        set tcp-portrange 2528
    next
end
config firewall address
    edit "3cx-address"
        set subnet 10.10.10.10 255.255.255.255
    next
end
config firewall policy
    edit 0
        set srcintf "dmz"
        set dstintf "wan"
        set action accept
        set srcaddr "3cx-address"
        set dstaddr "all"
        set schedule "always"
        set service "3CX SIP" "3CX STUN" "3CX HTTP" "3CX HTTPS" "3CX RTP" "3CX WebRTC" "3CX Server Test" "3CX SMTP" "HTTP"
        set nat enable
        set fixedport enable
        set ippool enable
        set poolname "IPPOOL_3cx"
    next
    edit 0
        set srcintf "wan"
        set dstintf "dmz"
        set action accept
        set srcaddr "all"
        set dstaddr "VIP_wan-to-3cx"
        set schedule "always"
        set service "3CX STUN" "3CX WebRTC" "3CX HTTPS" "3CX RTP" "3CX SIP"
    next
end

Further information

https://www.3cx.com/docs/firewall-checker/

https://www.3cx.com/docs/fortigate-firewall-configuration/

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *