Technical Tip: Prevent attackers from using outbound ports/sessions to register to an internal PBX

Scenario:
Internal PBX <-- SIP Trunk --> VoIP Provider.
Internal PBX <---> FortiGate 80.X.Y.Z (WAN) <---> VoIP Provider.

Scenario Explanation:
Internal PBX resides in the LAN, which is connected to a VoIP Provider using the SIP TRUNK.
The SIP TRUNK is a connection using a WAN connection and NAT using the outgoing interface, which uses WAN IP and port 65476 after NAT is made.

When the trunk is active and everything is working there is the possibility of any random public IP address connecting to WAN IP and UDP port 65476 and trying to register a PBX extension.

This behavior is observed even when using VoIP security profile on the Firewall Policy related to the SIP trunk connection. This occurs because the Policy needs to be changed to Proxy Mode, and not be left at default Flow Mode.

Solution:
When enabling VoIP under System -> Feature Visibility, the VoIP UTM SIP strict-register feature is enabled by default on VoIP security profiles. If strict-register is disabled, it can create a security hole, as it would leave port 65476 open regardless of the source IP address, making an attacker who scans the external IP ports by sending REGISTER packets have a chance of a REGISTER packet going through.

Even using default-voip-alg-mode proxy-based and set strict-register enabled the undesired responses from FortiGate are observed in the figure below, this was tested using Firewall Policy in Flow Mode with VoIP security profile applied.

These undesired responses refer to the highlighted SIP messages which originated from FortiGate public IP 80.X.Y.Z, as a reply to IP 192.168.1.103 used to trigger responses from FortiGate by simulating SIP connections.

After changing the firewall policy to proxy mode, these unwanted responses from FortiGate are no longer observed.

Related documents:

Technical Tip: VoIP and SIP configuration and troubleshooting resource lists