Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MathGaer
New Contributor

Created on ‎09-09-2017 10:50 PM

Need to disable any SIP processing

Hi everybody,

being new to Fortigate systems (since last Thursday) I was setting up the firewall to just pass or deny IP-traffic from or to several interfaces.

For most of the traffic that works well but SIP doesn't follow the rule. I see incoming SIP registry messages on my PBX even though I have a security profile that denys any IP traffic from outside to inside.

I tried to disable sip-helper in system settings and modified the voip profile to "set sip disable" but nothing changes.

The firewall is in routing mode and is NOT using NAT (and shall not at the moment).

The PBX is situated on the LAN-interface.

The security policy from outside (interface wan1) is:

permit from wan to lan source any destination 10.0.0.0/8 icmp only

deny from wan to lan source any destination 10.0.0.0/8 ip

I'm quite helpless at the moment...

 

Two other questions:

If using active/standby redundancy, is the PPPoe Session on a WAN interface passed to the standby unit if the master fails?

When using PBR (source routing) having one specific IP traffic to bypass the normal routing table and the configured next-hop disappears, does the PBR disappear too? That means, if I want a specific internal address to use a second path to the outside and that path disappears, does the traffic then uses the normal routing table?

Thank you very much

Mathias Gaertner

 

Labels:
164
0 Kudos
1 REPLY 1
MathGaer
New Contributor

Created on ‎09-10-2017 12:16 AM

Hi again,

it seems that a reboot solved the ALG problem. Oh my...

But the opther two questions still remain. OS-Version is 5.4. Perhaps I should explain a bit more detailed:

I do have two ISP connections which currently end on one router forming a single point of failure. I now think of moving both connections to the Fortigate wan1 and wan2. The fortigate should be a HA cluster in active/passive mode. So, I connect one modems ethernet via switch to both wan1-interfaces of both FortiGates and configure PPPoE there.

I read as much as that config should be working but the docu just fails to explicitly mention the PPPoE failover.

Is the failover working as I think it is? I.e. when one FortiGate fails, the other takes over?

The second thing is like this:

I do use one ISP as main ISP for most of the traffic but some traffic (i.e. from my Webserver) should use the second ISP. I can do that with PBR, no problem. It should work when the PPPoE-sessions are on the FortiGates because if the sessions fails the interface is down.

But what if I choose to have two routers in front of the Fortigate and just use dynamic routing to inform the FortiGate about the presence of ISP2. If the dynamic routing would remote the routing entry for ISP2 in the FortiGate, does the PBR then falls back to the remaining ISP (that is, using the normal routing table)?

Thank you vey much for your help.

Mathias Gaertner

149
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.