Technical Tip: Use of SIP ALG to filter IP addresses
Description
When register is going through the FortiGate with SIP ALG enabled; it will create a pinhole in the reverse direction allowing all SIP packets to be forwarded inside the network; whatever the source address it comes from.
The pinhole created will skip the firewall checking in the reverse direction. Because of this, there is no way to filter some IP addresses.
The pinhole created will skip the firewall checking in the reverse direction. Because of this, there is no way to filter some IP addresses.
Solution
The solution is to create 2 VDOMs. The first VDOM will take care of the firewalling part (it could be a transparent VDOM), when the second one will take care of the SIP traffic and media modification/pinholing.