Before doing anything take a backup of the current configuration.
Enable consistent NAT & disable security scanning on VOIP server/PBX.
Enable consistent NAT (75% improvement in audio quality):
Now to get that remaining 25%.
Then create a zone for your PBX and disable security scanning services on that device
Then we’ll create an address object for the IP PBX.
Manage – > Objects -> address objects -> add
Select the “VOIP” zone that we just created.
This is only helpful when your phones and your data traffic are on different LANS or VLANS.
If your PBX and data devices are on the same LAN then change the zone assignment to match the zone type of the interface that the PBX is connected to (most likely LAN). Then, disable the features from each feature per the address object that was just created.
In essence, we have to exclude the IP within each security service.
First up is the Content Filter. We don’t need the content filter trying to read SIP traffic data.
Manage -> Security Services -> Content Filter -> CFS Exclusion -> Select the address object.
Next is the Gateway Anti-Virus
Manage -> Security Services -> Gateway Anti-Virus -> Configure Gateway AV Settings -> Gateway AV Exclusion List -> select address object
Next is Intrusion Prevention
Manage -> Security Services -> Intrusion Prevention -> Enable IPS exclusion list checkbox -> select address object
Next is Anti-Spyware
Manage -> Security Services -> Anti-Spyware -> Configure anti-spyware settings -> Enable exclusions -> select IP PBX address object
Next is App Control
We want to leave it on for the subnet just not for the specific device.
Manage ->Rules -> App Control -> Configure App Control Settings -> tick exclusion checkbox. Can manually select the address object or the IPS exclusion checklist.