This guide details the necessary changes for Fortinet routers and firewalls

Weave phones work well with Fortinet routers once they have been configured correctly. You can configure the Fortinet by following the steps outlined below. 

Checking for a public IP address on the WAN Interface (image below)

Login to the Fortinet web interface

1. In the left menu, click the "Network" option

2. Click "Interfaces"

3. Ensure that the wan1 OR the wan2 interface is configured with a public IP address. (see image). If the IP address begins in "192.168.X.X" "10.X.X.X" or "172.16.X.X-172.31.X.X" then the router is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode. (Why is this important?)

  • We do not recommend using any Dual Wan/load balancing features unless you can configure the router to always send weave traffic out a single wan interface.

 

Outbound firewall policy creation (image below)

Although most firewalls/UTM devices have a default rule allowing any traffic outbound, we will need to create a specific rule for the Weave traffic because of the way that Fortinet sets the NAT type. 

4. In the Fortinet web interface, click on the "Policy and Objects" section in the left column

5. Expand the "Objects" section

6. Click "Addresses"

7. Click "Create New" 

 

In the object creation window you will create the Weave address objects (image below)

8. Name: Weave1 (You will iterate this name as you create all the Weave IP objects i.e. Weave2, Weave3 ect...)

9. Type: IP/Netmask

10. Subnet / IP Range: You will need to duplicate steps 8-12 to add the following IP Addresses.

  • Weave1 – 208.53.46.192/255.255.255.192 (cidr is /26)
  • Weave2 – 64.55.135.0/255.255.255.224 (cidr is /27)
  • Weave3 – 52.7.80.27
  • Weave4 – 52.7.31.85
  • Weave5 – 52.70.39.230
  • Weave6 – 52.71.148.87

11. Interface: Any

12. Click 'OK' to create the object. (Repeat these steps to add the additional IP addresses for Weave traffic)

 

Create Firewall Policies (image below)

13. Click the "Policy and Objects"

14. Expand the "Policy" and then double click on the "IPv4" option.

15. Click "Create New" 

 

Firewall Policy Creation Window (image below)

16. Incoming Interface: internal

17. Source address: all

18. Source users: leave as default

19. source device type: leave as default

20. Outgoing Interface: wan1 OR wan2 depending on what wan interface you are using (see step 3)

21. Destination address: Weave1; click the green plus symbol at the end of the line containing weave1 and add all the address objects created for Weave in steps 8-12.

22. Schedule: Always

23. Service: All

24. Action: Accept

25. Firewall / Network Options

  • NAT = On
  • Use Outgoing interface address

26. Fixed Port = Checked (this is a critical step to ensure that the Fortinet does the appropriate type of NAT, the phones will not work properly if this step is missed.)

27. Ensure the policy is enabled

28 . Click "OK" Then on the firewall policy page drag the newly created Weave Rule to the top of the list.

 

Disable SIP ALG (images below)

29. Open the Fortigate command line interface (CLI) from the Dashboard of the Web interface. 

30. Type config system settings

31. Type set sip-helper disable

32. Type set sip-nat-trace disable

33. Type end

34. Type execute reboot then type Y to reboot the device. 

Once the device has rebooted re-open the web interface and open the CLI again (see step 29) 

35. Type Config system session-helper

36. Type Show

37. The 'show' command will list the system session-helper entries. You will need to identify the one that is for SIP and delete it. In the example below the number for the SIP session-helper is 13 so the command would be Delete 13

 

Disable RTP Processing (image below)

Open the CLI on the dashboard of the Fortinet Router

38. Type Config voip profile

39. Type Edit default

40. Type Config sip

41. Type Set rtp disable

42. Type end; then type end again

43. Type Execute Reboot then Type 'Y' to initiate a reboot. This is a critical step to release all the current sessions on the device. The changes will not work fully until a reboot of the firewall has been completed.