Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎01-05-2016 04:54 AM Edited on ‎10-07-2024 10:52 PM By Moderator

Article Id 194527

Technical Tip: How to use the SIP ALG to prevent unwanted calls

Description

 

This article describes how to use the SIP ALG to prevent the ALG to open SIP pinholes for unwanted VoIP calls.
When a SIP REGISTER is going through the FortiGate with SIP ALG enabled, it will create a pinhole in the reverse direction allowing all SIP packets to be forwarded inside the network.

This applies regardless of the source address from which it originates.
This feature can be useful to connect external phones to the local PBX without creating an incoming policy.
But it can be abused by attackers, using your unauthenticated SIP server to place SIP calls.

In these cases, and if logging is enabled, a log entry can appear for incoming traffic matching an outgoing policy.

Related document:
SIP pinholes

 

Scope

 

FortiGate.

Solution


A way to secure access to the internal PBX is to restrict the source IP of incoming calls to the SIP proxy IP address.
This can be done by setting the 'strict-register' parameter in your SIP VoIP profile settings:

 

config voip profile
    edit default
        config sip
            set strict-register enable
            end
        end
end

 

In this way, the pinhole opened will allow only packets with a source IP equal to the destination IP of the Register sent to the outbound direction (in most cases it will be the SIP proxy).

From the SIP proxy, it is possible to easily control the calls wanted or not to go through to the network.

This VoIP profile afterward has to be added to the policy, which allows the outgoing REGISTER from your PBX to your SIP Proxy.

 

config firewall policy
    edit Your VoIP Policy
        set voip-profile "Your_VoIP_Profile"
    end
end

 

Add this profile on the GUI when the VoIP profile feature in the Feature Visibility is enabled.

Afterward, it will show up in the security profiles on the firewall policy:
 
Untitled.gif

 

 
Related documents:

 

Related articles:

Technical Tip: Disabling VoIP Inspection

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2

Technical Tip: VOIP calls (using SIP)

Techincal Tip: SIP useful Commands

Technical Tip: Enabling the SIP Application Layer Gateway (ALG)

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

13551
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.