From the Command Line Interface

Step 1: Remove SIP Helper

1. In the Command Line Interface (CLI) run the following commands:
   • config system session-helper
   • show
2. For this example, edit 13 contains SIP
   

   WARNING: Depending on your deployment sip may be a different number, please substitute the correct entry number for the delete command.

    
    
3. Enter the following commands:
   • delete 13
   • end

Step 2: Disable SIP Helper and SIP NAT Trace

In the Command Line Interface (CLI) run the following commands:

• config system settings
• set default-voip-alg-mode kernel-helper-based
• set sip-nat-trace disable
• end

execute reboot

Step 3: Disable Strict Register

Strict Register forces VoIP devices through a pinhole at port 65476 and will cause duplicate porting to occur.

To disable this setting, run the following commands in the Command Line Interface (CLI):

• config voip profile
• edit <Profile_name>
• config sip
• set strict-register disable
• set invite-rate 300
• set register-rate 300
• end

From the GUI / UX

Step 1: Enable Traffic Shaping

1. Navigate to System → Feature Visibility.
2. In the Additional Features column, enable Traffic Shaping and VoIP.
   
3. Click the Apply button to save these changes.

Step 2: Create a VoIP Traffic Shaper

1. Navigate to Policy & Objects → Traffic Shaping → Traffic Shapers.
2. Click the + Create New button.
   
3. Fill in the following information:
   • Name - Type a name, such as SVoIP RTP Out.
   • Traffic priority - High, this will decrease the chance the traffic gets dropped during times of heavy network load
   • Maximum Bandwidth - In general this not needed in connections faster than 100 mbps
   • Guaranteed Bandwidth - Allocate at least 1000 kbps.
4. Click the OK button to create this traffic shaper.

Step 3: Add Addresses, Services, and Address Groups

Addresses

1. Navigate to Policy & Objects → Addresses.
2. Reference this table to see the addresses that should be added.
   

   Note: Here are the public subnets associated with our services:

   199.71.209.0/24

   24.227.249.0/25

   72.249.136.32/28

   206.123.122.32/27

   212.69.157.32/27

   40.143.31.64/27

   45.41.5.0/24

   12.150.91.0/24

    

3. Click the + Create new button.
   
4. Fill in the following information:
   
   • Name - Type a descriptive name about this address.
   • Type - Select Subnet.
   • IP/Netmask - Type the address you need from step 2. 

4. Click the OK button.
5. Repeat steps 2-5 for each address/port.

Address Group

1. Navigate to Policy & Objects → Addresses and go to the Address Group tab.
   
2. Click the + Create New button.
3. In the New Address Group menu, fill in the following information:
   
   
   • Name - Type a descriptive name, such as “SpectrumVoIPServices”.
   • Type - Click Group.
   • Members - Click the + icon and select the SpectrumVoIP Address Objects that were created.
4. Once you have selected all of the addresses look for the Close button at the bottom of the Select Entries.
5. Click the OK button.

Services/Ports

1. Navigate to Policy & Objects → Services.
2. Click the + Create new button.
   
    
3. In the New Service menu, fill in the following information:
   
   • Name - Type a descriptive name.
   • Category - Select VoIP, Messaging & Other Applications.
   • Protocol Type - Select TCP/UDP/SCTP.
   • Address - Click IP Range and type in the subnet of one of the addresses from the Address section.
   • Destination Port - For this option, do the following:
     • Select the appropriate port type, such as UDP.
     • Set the port range to match what is used by your platform.
       

       Port Ranges for Services

       Stratus Ports

       Main Utilized Ports

           •  5060-5062 UDP - SIP
           •  20,000-40,000 UDP - RTP
           •  80, 443 TCP - HTTP/HTTPS

       Portal Dynamic Updates

           •  8001 - TCP

       Text-to-Speech Services - TCP and UDP

           •  35.175.185.150:3001
           •  35.175.185.150:8000
           •  44.212.88.215:8000
           •  54.149.243.27:3001
           •  54.149.243.27:8000
           •  54.70.235.134:3001
           •  54.70.235.134:8000

       StratusMEETING - TCP and UDP

           •  54.188.133.147:3443
           •  3.130.158.184:3443
           •  35.183.150.146:3443

       StratusWEB PHONE

           •  9002 - TCP - websockets

        

       ES1 and ES2 Platform Ports

           •  5060-5062 UDP - SIP
           •  10,000-20,000 UDP - RTP
           •  80, 443 TCP - HTTP/HTTPS

        

       Push Notifications Ports

       Google's Firebase Cloud Messaging (FCM)

           •  443, 5228, 5229, 5230 - TCP

       Apple's Push Notification Service (APNs)

           •  5223, 443, 2197 - TCP

       More Info: Port 5223 is the primary port for communication with APNs. Ports 443 and 2197 are used for sending notifications from MDM to APNs and as a fallback on Wi-Fi if 5223 can't be reached.

        

        

        
4. Click the OK button when ready. 

Step 4: Create an IPv4 Policy

1. Navigate to Policy & Objects → IPv4 Policy.
2. Click the + Create New button.
   
3. Fill in the following information:
   
   

   Important:

   It is highly recommended for security purposes that you have a separate subnet for the phones and make this firewall policy as specific as possible.

    
   • Name - Type a descriptive name, such as LAN to SVoIP.
   • Incoming Interface - Select your LAN (Or Voice VLAN) interface.
   • Outgoing Interface - Select your WAN interface.
   • Action - Select ✔ ACCEPT.
   • Source - LAN addresses (Or Voice VLAN addresses)
   • Destination - The SpectrumVoIP Address Group Create previously
   • Schedule - Always
   • Service - SVoIP RTP Out, HTTP, & HTTPS
   • Inspection mode - Flow Based
   • NAT - ENABLE NAT
   • IP Pool Configuration - Select Use Outgoing Interface Address.
   • Preserve Source Port - DISABLE
   • Passive health check - DISABLE
   • AntiVirus - DISABLE
   • Web Filter - DISABLE
   • DNS Filter - DISABLE
   • Application Control - DISABLE
   • VoIP - ENABLE DEFAULT
   • SSL inspection - SET TO NO INSPECTION
   • Log Allowed Traffic - Select All Sessions.  
4. Click the OK button.
5. Ensure the policy is active or turn it on once you apply the settings.

Step 5: Set REGISTER, INVITE, and SCCP Request Limits

1. Navigate to Security Policies → VoIP. 
   
2. Set the Limit “REGISTER” requests and Limit “INVITE” requests option to the value specified by your installation technician.
   

   Quick Tip: 300 can be used if the exact value is not known.

    
3. If necessary, set the SCCP limit as well. 

Step 6: Create a Traffic Shaping Policy

1. Navigate to Policy & Objects → Traffic Shaping Policy. 
   
2. Click the + Create New button.
3. In the menu, fill in the following information:
   
   

   WARNING: Pay careful attention to the SIP and VOIP selections as they may be in different locations depending on the age, and firmware version of your Fortinet.

   Ensure you select the name of the Policy / Traffic Shaper you created earlier.

    
   • Service - Select select the Service we created earlier for the RTP.
   • Application - Select SIP.
   • Outgoing Interface - Select your internet interface.
   • Shared Shaper - Select the new Traffic Shaper you created earlier.
   • Reverse Shaper - Select the new Traffic Shaper you created earlier.
4. Click the OK button.

Optional Step 7: SD-WAN Deployment

1. Navigate to Network → SD-WAN → SD-WAN Rules
2. Create a new rule with the following parameters: