Configuring a FortiGate 40F Firewall with 3CX

Introduction

This document describes the configuration of FortiGate 40F using mature firmware 7.0.X. This should be compatible with any device running this Firmware or later.

Step 1: Disable SIP ALG

The SIP ALG functionality must be disabled via Fortigates’s CLI.

Next, we need to remove the session helper

1. Run the following commands:

2. Amongst the displayed settings will be one similar to the following example:

3. In this example the next commands would be:

Now reboot the firewall using either GUI or CLI!

The CLI command is:

• execute reboot

Step 2: Create Outbound Rule for 3CX

1. Go to “Policy & Objects” > “Firewall Policy”
2. Click on  “Create New”

1. “Name” : Name the Firewall Policy for easier identification
2. “Incoming interface” : Select your lan interface or interface where is your 3CX server
3. “Outgoing interface” : Select your wan interface
4. “Source” : Select your 3CX server
5. “Destination” : Select “all”
6. “Schedule” : Use system default (always)
7. “Service” : Select your 3cx services created previously plus ports for push, DNS and SMTP
8. “Action” : Use system default (ACCEPT)
9. “NAT” : Use system default (CHECK)

More information about ports used by 3CX : https://www.3cx.com/docs/manual/firewall-router-configuration/

Step 3: Create Inbound Rule to Access 3CX Server Remotely

Create Virtual IP

You need to create 1 virtual IP per service port to forward to the 3CX Server

1. Go to “Policy & Objects” > “Virtual IPs”
2. Click on  “Create New” > “Virtual IP”

1. “Name” : Name the virtual IP for easier identification
2. “Interface” : Set the interface where your public IP is
3. “External IP address” : Enter the external IP address of the internet access
4. “Map to IPV4 address” : Enter the internal IP address of the 3CX Phone System server
5. “Port forwarding” : check the box “port forwarding” to access the menu
6. “Protocol” : Set the protocol type depending on the port(s) you are forwarding (TCP or UDP)
7. “Port Mapping type” : Use system default “One to one”
8. “External service port” : Enter the external port, commonly the same as the external port
9. “Map to IPv4 port” : Enter the internal port

3. Once all Virtual IPs are created, they should look similar to the example below

In this example, our external IP is 1.2.3.4 and our 3CX Server IP is 192.168.10.10

Tips : You can create a Virtual IP group that contains all the Virtual IP to simplify tu Firewall policy configuration

Create Firewall Object

In order to create the firewall policy, we need  to create a firewall object

1. Go to “Policy & Objects” > “Services”
2. Click on  “Create New” > “Service”

1. “Name” : Name the Service for easier identification
2. “Protocol Type” : Use system default TCP/UDP/SCTP
3. “Address” : Use system default 0.0.0.0
4. “Destination port” : List all ports for 3CX
5. “Specify Source Ports” : Let uncheck

Create Firewall Policy

1. We need to create a Firewall policy in order to allow the traffic from external to 3CX

1. Go to “Policy & Objects” > “Firewall Policy”
2. Click on  “Create New”
3. “Name” : Name the Firewall Policy for easier identification
4. “Incoming interface” : Source interface where’s your internet access
5. “Outgoing interface” : interface where your 3CX server is (in a vlan interface in our example below)
6. “Source” : IP address where connections come from (use all for connection to 3CX from anywhere)
7. “Destination” : Select all your Virtual IP created previously
8. “Schedule” : Use system default (always)
9. “Service” : Select your 3cx services created previously
10. “Action” : Use system default (ACCEPT)
11. “NAT” : uncheck NAT so 3CX see the remote addresses

More information about ports used by 3CX : https://www.3cx.com/docs/manual/firewall-router-configuration/

Step 4  : Create Internal DNS Resolution (Split DNS)

In order for 3CX to work properly locally, it’s necessary to be able to reach the server via its FQDN locally (without going out on the internet). For this we need to configure a DNS server on the Fortigate and create a DNS entry that will match its FQDN with its private IP.

Computers and IP  Phones must have the Fortigate's LAN interface as a DNS server.

1. Go to “System” > “Feature Visibility”
2. Check  “DNS Database” Once this box is checked we can configure the DNS server
3. Go to “Network” > “DNS Servers”
4. Click  “Create New” on DNS Service on Interface.
5. You need to select all LAN interfaces in "recursive" mode so that the DNS service is active on them

1. Click “Create New” on DNS Database.

1. “Type” : Use system default (Primary)
2. “View” : Use system default (Shadow)
3. “DNS Zone” : name your DNS Zone
4. “Domain Name” : domain of your 3CX server (in this example our FQDN is example.3cx.com so our domain name is 3cx.com)
5. “Hostname of Primary DNS” : Use system default (Dns)
6. “TTL” : Use system default
7. “Authoritative” : uncheck this option

1. Add DNS entries using “Create New”

1. “Type” : Set address (A)
2. “Hostname” : Set hostname (in this example our FQDN is example.3cx.com so our hostname is example)
3. “IP Address” : Set IP address of your 3CX server

Test your configuration. Try to resolve your 3CX FQDN while being on your LAN, it must return the internal address.

Validating Your Setup

Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX. More information about the Firewall Checker can be found here.

See Also

• Firewall & router configuration
• Firewall checker

Last Updated

This document was last updated on 11 September 2024

https://www.3cx.com/docs/fortigate-firewall-configuration/