Skip to main content

 

 
8x8 Support

How to Configure Fortinet Fortigate 60D Router

Important-Icon.png The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used. 

Keep in mind different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Note-Icon.png Note: We highly recommend consulting an IT or network professional when configuring advanced network settings or devices.

Objective

Configure Fortinet Fortigate 60D router to use with 8x8 services. 

Applies To

  • Fortinet Fortigate 60D

Procedure

Important Information about Fortigate Firewalls and 8x8 Service

After testing the Fortigate series firewalls and working with Fortigate support, Support Engineers have found there are issues with the NAT configuration on these devices.

While the Firewall is not unsupported, users with these devices will run into the following issues using a Fortigate:

  1. Dropped calls
  2. One way or no way audio 
  3. Potential device registration issues
  4. Duplicate SIP Ports and port shuffling

To mitigate some of these issues, Strict Register should be disabled to stop all phones from using a pinhole through port 65476 (external) and 5060 (internal). After this is complete if issues persist, set the local SIP ports on each phone to unique port assignments.

Delete SIP Firewall

Access the CLI cosole in the device GUI bu clicking >_ near the upper right hand corner 

CLI console access.PNG

  1. In the Command Line Interface (CLI) run the following commands:
    • config system session-helper
    • show
      Fortinet1-600x203.jpg
  2. Notice that edit 13 contains SIP.
  3. Enter the following commands:
    • delete 13
    • end

Disable SIP Helper

  1. In the Command Line Interface (CLI) run the following commands:
    • config system settings
    • set default-voip-alg-mode kernel-helper-based
    • set sip-helper disable
    • set sip-nat-trace disable
    • end
      fortigate updated alg.PNG
  2. Reboot the router using the web GUI under Status, or in the CLI with the following command:
    • execute reboot

Configure Traffic Shaping and VoIP

  1. In the web GUI, go to System > Feature Select > Additional Features.
    Fortigate_Traffic_Shaping-600x360.png
  2. Toggle Traffic Shaping and VoIP on.
  3. Click Apply.

Disable Strict Register

Strict Register forces VoIP devices through a pinhole at port 65476 and will cause duplicate porting to occur.

To disable this setting run the following command in the Command Line Interface (CLI):

  • config voip profile
  • edit "Profile Name"
  • config sip
  • set strict-register disable
  • end
Note-Icon.png Note: The VoIP profile name can be found under Security Profile -> VoIP. Please note if these settings do not persist through a reboot a factory reset or other troubleshooting steps may be needed on the Fortigate itself with Fortigate support.

VoiP Profile.PNG

Create 8x8 Objects

  1. In the web GUI, go to Policy & Objects.
  2. Select Objects, then Addresses.
  3. Click Create New, then click Address.
    Fortigate_8x8_Subnets-600x157.png
  4. You will need to add each subnet in the format xxx.xx.xx.x/xx.
  5. Do this for each of the 8x8 US subnets listed in the X Series Technical Requirements document.

Group the 8x8 Networks

  1. In the web GUI, go to Policy & Objects.
  2. Select Objects, then Addresses.
  3. Click Create New, then click Address Group.
  4. Create a Group Name.
  5. Click Members, click each subnet, then click OK.
    Fortigate_Group_8x8_Networks-600x188.png

Set High-Priority Traffic Guarantee

  1. In the web GUI, go to Policy & Objects.
  2. Select Traffic Shapers.
  3. Edit the existing High Priority Traffic Shaper.
  4. Set Type to Shared.
  5. Set Apply Shaper to Per Policy.
  6. Set Traffic Priority to High.
  7. Check Max Bandwidth and set to 1048576 Kb/s.
  8. Check Guaranteed Bandwidth and set to 1000 Kb/s.
  9. Click OK.
    Fortigate_High_Priority_Traffic-600x304.png

Create a New Policy

  1. In the web GUI, go to Policy & Objects > Policy.
  2. Select IPv4.
  3. Create a new policy.
  4. Set the following options:
    • Incoming Interface: Internal
    • Source Address: All
    • Outgoing Interface: WAN
    • Destination Address: 8x8-networks
    • Service: All
    • Service: SIP, RTSP
  5. Click OK.
    Fortigate_Create_New_Policy-600x508.png

Arrange Policy

  1. In the web GUI, go to Policy & Objects > IPv4 Policy.
  2. Double-click the 8x8 policy.
  3. Drag and drop the All 8x8-Networks policy to the top spot.
    Fortigate_Arrange_Policy-600x102.png

Verify Traffic

Start a call and download some large traffic (e.g., https://www.nasa.gov/content/ultra-high-definition-video-gallery shown below) or use a tool like iperf.

Fortinet11-600x402.jpg

Review Traffic Shaper Monitor

  1. In the web GUI, go to Policy & Objects > Monitor.
  2. Select Traffic Shaper Monitor.
  3. Note that since the default traffic is left alone, it doesn’t show in the Traffic Shaper Monitor. Only the reserved traffic displays, in this case high-priority.

Additional Information

  • The default TCP Time out on the Fortigate is 3600 seconds, this value does not need to be lowered. However, if this value is lowered it needs to be at least 660 seconds or 11 minutes.
  • Firmware updates may re-enable some system settings. After a firmware update if you begin to experience issues with the phones again, verify the firewall still has the proper configuration. 
  • To validate the settings implemented are written successfully to the configuration file, download a back up of the existing configuration and verify the following information has been written:

config voip profile
    edit "default"
        set comment "Default VoIP profile."
        config sip
            set strict-register disable
            set register-rate 660
            set invite-rate 660

config system settings
    set inspection-mode flow
    set sip-nat-trace disable
    set default-voip-alg-mode kernel-helper-based

    set gui-voip-profile enable