Fortigate blocking incoming SIP traffic for remote clients

shane95129 · ‎09-10-2019

Hey everyone,

I currently have a Cloud PBX running with a public IP address, and I am trying to register a SIP client to it. I am seeing packets hitting the PBX, however all incoming packets are being denied. Please see attached for pictures.

I have also created a policy to allow all incoming traffic from 149.xxx.xxx.xxx into my local subnet. I have tried with and without NAT on both the SIP client and Fortigate.

SIP ALG helper and session helper are also disabled. We currently have a working setup with a pbx hosted behind the fortigate, however we are in the progress of migrating it to the cloud due to power issues at our office location.

Any help would be greatly appreciated!

Thanks in advance.

sw2090 · ‎09-10-2019

hm that doesn't provide much information.

I'd suggest doing some flow trace to see what really happens to your packets. This provides more info like which policy was matched or whatever happend to the packet.

diag debug ena
diag debug flow filter clear
diag debug flow filter <rule> (for some filtering like src or dest ip)(you might get lost without filters *g*)
(diag debug flow filter list shows you a list and state of filters)
diag debug flow trace start <numberofpackets>

then watch the cli and do some sip.

Maybe this gives you a clue?

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

kubimike · ‎09-12-2019

Best to follow this guide. I had all kinds of SIP issues. This solved them all, this ALG feature should be OFF by default!

https://www.vatacom.com/knowledge-base/disable-sip-alg-fortigate-firewalls/