Recommended firewall settings Winet

Required ports & settings for VoIP service (all firewall models) #

For Winet SIP Trunk #

Telephone system or telephone terminals in the customer's LAN

SIP port 5060 UDP to the Subnet ( , incoming as well as outgoing
RTP Ports 10'000 - 20'000 UDP to the Subnet ( , incoming as well as outgoing
UDP timeout min. 300s 
SIP-ALG disable

For Winet Ayrix & hostedPBX #

SIP Ports 5060 UDP to the Subnet ( , incoming as well as outgoing
RTP Ports 10000 - 20000 UDP to the Subnet ( , incoming as well as outgoing
CTI clients Ports 5038 TCP to the Subnet ( , incoming as well as outgoing
UDP timeout min. 300s
SIP-ALG disable

Additional settings for individual firewall models #

Here you can find screenshots and quick guides to the most common firewalls.

Fortigate (Fortinet) #

It is recommended to follow the following instructions:

How to disable SIP-ALG (SIP Helper) on Fortinet

Open the Fortigate CLI from the dashboard. Enter the following commands in FortiGate's CLI:

  config system settings
  set sip-helper disable
  set sip-nat-trace disable
  reboot the device

Reopen the FortiGate CLI and enter the following commands (do not enter the text after //)

  config system session-helper
  show // you need to find the entry for SIP, usually 12, but it may vary
  delete 12 // or the number that you identified from the previous command

Create a rule and set it like in the picture above Reboot the device and you should be ready

Disable RTP processing as follows

  config voip profile
  edit default
  config sip
  set rtp disable

Depending on what is configured as basic support, SIP support can be turned off completely.
Subsequently, the SIP Sessionhelper is set as "basic" support and deleted.
With this, the Fortigate can no longer provide SIP support because the session helper it is configured to no longer exists.

Base support on the session helper (kernel-helper-based):

  config system settings
  set default-voip-alg-mode kernel-helper-based

Delete SIP Sessionhelper (as above):

  config system session-helper
         set name sip
         set protocol 17
         set port 5060

A complete VoIP configuration guide for FortiOS 5.6 can be found in this document: