Required Configuration for Fortinet / FortiOS Devices

Weave phones work well with Fortinet routers once they have been configured correctly. You can configure the Fortinet by following the steps outlined below. 

Check for a public IP address on the WAN Interface

Login to the Fortinet web interface

1. In the left menu, click the Network option

2. Click Interfaces

3. Ensure that the wan1 OR the wan2 interface is configured with a public IP address. (see image). If the IP address begins in 192.168.X.X, 10.X.X.X or 172.16.X.X-172.31.X.X then the router is not receiving a public IP address and you should contact your ISP to put your modem in bridge, DMZ, or PPOE mode.

Note: We do not recommend using any Dual Wan/load balancing features unless you can configure the router to always send weave traffic out a single wan interface


Outbound firewall policy creation 

Although most firewalls/UTM devices have a default rule allowing any traffic outbound, we will need to create a specific rule for the Weave traffic because of the way that Fortinet sets the NAT type. 

4. In the Fortinet web interface, click on the Policy and Objects section in the left column

5. Expand the Objects section

6. Click Addresses

7. Click Create New

In the object creation window you will create the Weave address objects 

8. Name: Weave IPs

9. Type: FQDN

10. Please reach out to your onboarding contact for the list of IP addresses you need to allow.

11. Interface: Any

12. Click OK to create the object

Create Firewall Policies 

13. Click the Policy & Objects

14. Expand the Policy and then double click on the IPv4 option

15. Click Create New

Firewall Policy Creation Window 

16. Incoming Interface: internal

17. Source address: all

18. Source users: leave as default

19. Source device type: leave as default

20. Outgoing Interface: wan1 or wan2 depending on what wan interface you are using (see step 3)

21. Destination address: Weave IPs

22. Schedule: Always

23. Service: All

24. Action: Accept

25. Firewall / Network Options

  • NAT = On

  • Use Outgoing interface address

26. Fixed Port = Checked (this is a critical step to ensure that the Fortinet does the appropriate type of NAT, the phones will not work properly if this step is missed)

27. Ensure the policy is enabled

28. Click OK and then on the firewall policy page drag the newly created Weave Rule to the top of the list

Screen Shot 2021-01-27 at 8.53.47 PM.png

Disable SIP ALG

29. Open the Fortigate command line interface (CLI) from the Dashboard of the Web interface

30. Type config system settings

31. Type set sip-helper disable

32. Type set sip-nat-trace disable

33. Type end

34. Type execute reboot then type Y to reboot the device. 

Once the device has rebooted re-open the web interface and open the CLI again (see step 29) 

35. Type Config system session-helper

36. Type Show

37. The show command will list the system session-helper entries. You will need to identify the one that is for SIP and delete it. In the example below the number for the SIP session-helper is 13 so the command would be Delete 13

Disable RTP Processing (image below)

Open the CLI on the dashboard of the Fortinet Router:

38. Type Config voip profile

39. Type Edit default

40. Type Config sip

41. Type Set rtp disable

42. Type end; then type end again

43. Type Execute Reboot then Type Y to initiate a reboot

Note: This final step is critical to release all the current sessions on the device. The changes will not work fully until a reboot of the firewall has been completed. 

Was this article helpful?