Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AndrHann
New Contributor III

PABX hack

Hello

I have a client who have had their PABX hacked and need to block all SIP traffic except to their VoIP provider. I installed a small FortiGate 30E for them and set up an inbound VIP rule specifying only the VoIP provider's IP address as the source. This hasn't resolved the problem. I can do a telnet test to port 5060 and it doesn't get blocked. If I remove the VIP policy I can still telnet to port 5060. I don't know what's going on but it appears the port is being kept open by the PABX. Has anyone experienced this issue before? I'm a bit stuck on how to troubleshoot and the client is wondering why he paid for a new firewall.

Thanks,

Andre

1 REPLY 1
AndrHann
New Contributor III

Well it's been four days now and no-one for Fortinet support has responded to my ticket. I phoned but was put on hold until I gave up. In the mean-time I have done some research myself and found a solution on the Fortinet KB:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37756&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=91232211&stateId=0%200%2091230334.

Solution:

A way to limit the number of unwanted calls is to restrict the source IP of incoming calls to your proxy IP address. This can be done by setting the “strict-register” parameter in your SIP VoIP profile settings:

Conf voip profile
      edit
             conf sip
                  strict-register enable
              end
     end
end

In this way, the pinhole opened will allow only packets with source IP equal to the destination IP of the Register sent to outbound direction (in most cases it will be your SIP proxy).