基地台與分享器 - [v6.0.1, v5.6.5, v5.4.9] FortiOS Cook & Research - 電腦

前往內容


[v6.0.1, v5.6.5, v5.4.9] FortiOS Cook & Research

Application Control is free service since v5.6 starting
Application Control is now a free FortiGuard service and the database for Application Control signatures is
separate from the IPS database. However, Botnet Application signatures are still part of the IPS signature
database since these are more closely related with security issues and less about application detection.
With the release of FortiOS 5.6.1, Application Control signature database information is displayed under on the
System > FortiGuard page in the FortiCare section. And the Botnet category is no longer available when
searching the Application Signatures list.
請問一下
Fortigate內有視訊會議主機Cisco SX20,
但從外面4G(中華、台灣之星 IP都10.1xx.開頭) 連進來
手機無聲無影,會議主機則看、聽的到手機那邊
嘗試參照https://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/
並詢問中華是說H.323也要del,大致參照這篇
http://namitguy.blogspot.tw/2014/08/h323-traffic-failing-to-traverse.html

sip-helper disable 無聲無影
sip-nat-trace disable 無聲無影
(設定完都有重開)
del h.323 會無法接通
del sip 無聲無影
rtp disable 無聲無影
(設定完都有重開)
不知還有哪裡設定要注意
已設定Policy及Policy Route讓SX20的IP走wan1 及特定IP出去(沒設定會無法接通)
Virtual IP則設定 wan1特定外部IP全對應到SX20的IP 仍無法解決
網路架構
2條中華各接到Fortigate的wan1、wan2,Fortigate後接Cisco L3再接L2再接會議主機

不知道有無相關經驗的可以指點
以前在前公司用Aver會議系統,設定點對點 其中一邊一樣在Fortigate內,兩邊對連就沒問題
這次連手機搞好久搞不定 是行動網路關係嗎?
被蟑螂綁架的豬 wrote:
請問一下Fortigate...(恕刪)


I don't think above links as u mentioned can help u to resolve your problem...
simple questions..
did you configure a policy with VOIP profile enabled???
what FortiOS version are u using???
did you configure a policy with VOIP profile enabled???
Fortigate 沒開啟VOIP功能
what FortiOS version are u using???
5.2.11
vxr wrote:
I don't th...(恕刪)

被蟑螂綁架的豬 wrote:
did you configure...(恕刪)

show me your settings using the following command:
config sys sett

被蟑螂綁架的豬 wrote:
這個嗎?FG100D...(恕刪)

不是
default-voip-alg-mode
請提供這個命令的預設值..

不要做太多奇怪的調整讓問題複雜化..

default-voip-alg-mode: proxy-based
完整如下
opmode : nat
firewall-session-dirty: check-all
bfd : disable
utf8-spam-tagging : enable
wccp-cache-engine : disable
vpn-stats-log : ipsec pptp l2tp ssl
vpn-stats-period : 600
v4-ecmp-mode : source-ip-based
dhcp-proxy : disable
gui-default-policy-columns:
lldp-transmission : global
asymroute : disable
ses-denied-traffic : disable
strict-src-check : disable
asymroute6 : disable
sip-helper : disable
sip-nat-trace : disable
status : enable
sip-tcp-port : 5060
sip-udp-port : 5060
sip-ssl-port : 5061
sccp-port : 2000
multicast-forward : enable
multicast-ttl-notchange: disable
--More-- allow-subnet-overlap: disable
deny-tcp-with-icmp : disable
ecmp-max-paths : 10
discovered-device-timeout: 28
email-portal-check-dns: enable
default-voip-alg-mode: proxy-based

好的,我會先將先前改的設定恢復成預設
vxr wrote:
不是default-...(恕刪)

vxr wrote:
default-voip-alg-mode

被蟑螂綁架的豬 wrote:
default-voip...(恕刪)

在FortiOS v5.2開始, SIP流量操作會經由VoIP ALG/Proxy操作..
這種情況下, VOIP profile是必要的..
考量到高效和簡單的方式...
改用kernel-helper-based是最佳的作法..
當採用kernel-helper-based, 將會使用高效的session helper來處理..
If default-voip-alg-mode is set to proxy-based, SIP and SCCP traffic is processed by the VoIP ALG/Proxy using the default VoIP profile.
If default-voip-alg-mode is set to kernel-helper-based, SCCP traffic is not processed, and SIP traffic is processed by the SIP session helper. If the SIP session help has been removed, then no SIP processing takes place.

參考這個case:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD36405&sliceId=1

您可以先改成kernel-helper-based, 而不要移除session-helper項目..
如果依然有先問題, 考據troubleshooting的情況下. 在移除特定的session helper項目...

56頁 (共69頁)

前往




此文章的引用連結