This guide details the necessary changes for Fortinet routers and firewalls
Weave phones work well with Fortinet routers once they have been configured correctly. You can configure the Fortinet by following the steps outlined below.
Checking for a public IP address on the WAN Interface (image below)
Login to the Fortinet web interface
1. In the left menu, click the "Network" option
2. Click "Interfaces"
3. Ensure that the wan1 OR the wan2 interface is configured with a public IP address. (see image). If the IP address begins in "192.168.X.X" "10.X.X.X" or "172.16.X.X-172.31.X.X" then the router is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode. (Why is this important?)
- We do not recommend using any Dual Wan/load balancing features unless you can configure the router to always send weave traffic out a single wan interface.
Outbound firewall policy creation (image below)
Although most firewalls/UTM devices have a default rule allowing any traffic outbound, we will need to create a specific rule for the Weave traffic because of the way that Fortinet sets the NAT type.
4. In the Fortinet web interface, click on the "Policy and Objects" section in the left column
5. Expand the "Objects" section
6. Click "Addresses"
7. Click "Create New"
In the object creation window you will create the Weave address objects (image below)
8. Name: Weave1 (You will iterate this name as you create all the Weave IP objects i.e. Weave2, Weave3 ect...)
9. Type: IP/Netmask
10. Subnet / IP Range: You will need to duplicate steps 8-12 to add the following IP Addresses.
- Weave1 – 18.104.22.168/255.255.255.192 (cidr is /26)
- Weave2 – 22.214.171.124/255.255.255.224 (cidr is /27)
- Weave3 – 126.96.36.199
- Weave4 – 188.8.131.52
- Weave5 – 184.108.40.206
- Weave6 – 220.127.116.11
11. Interface: Any
12. Click 'OK' to create the object. (Repeat these steps to add the additional IP addresses for Weave traffic)
Create Firewall Policies (image below)
13. Click the "Policy and Objects"
14. Expand the "Policy" and then double click on the "IPv4" option.
15. Click "Create New"
Firewall Policy Creation Window (image below)
16. Incoming Interface: internal
17. Source address: all
18. Source users: leave as default
19. source device type: leave as default
20. Outgoing Interface: wan1 OR wan2 depending on what wan interface you are using (see step 3)
21. Destination address: Weave1; click the green plus symbol at the end of the line containing weave1 and add all the address objects created for Weave in steps 8-12.
22. Schedule: Always
23. Service: All
24. Action: Accept
25. Firewall / Network Options
- NAT = On
- Use Outgoing interface address
26. Fixed Port = Checked (this is a critical step to ensure that the Fortinet does the appropriate type of NAT, the phones will not work properly if this step is missed.)
27. Ensure the policy is enabled
28 . Click "OK" Then on the firewall policy page drag the newly created Weave Rule to the top of the list.
Disable SIP ALG (images below)
29. Open the Fortigate command line interface (CLI) from the Dashboard of the Web interface.
30. Type config system settings
31. Type set sip-helper disable
32. Type set sip-nat-trace disable
33. Type end
34. Type execute reboot then type Y to reboot the device.
Once the device has rebooted re-open the web interface and open the CLI again (see step 29)
35. Type Config system session-helper
36. Type Show
37. The 'show' command will list the system session-helper entries. You will need to identify the one that is for SIP and delete it. In the example below the number for the SIP session-helper is 13 so the command would be Delete 13
Disable RTP Processing (image below)
Open the CLI on the dashboard of the Fortinet Router
38. Type Config voip profile
39. Type Edit default
40. Type Config sip
41. Type Set rtp disable
42. Type end; then type end again
43. Type Execute Reboot then Type 'Y' to initiate a reboot. This is a critical step to release all the current sessions on the device. The changes will not work fully until a reboot of the firewall has been completed.