Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sscloff
New Contributor

Block SIP(VoIP) Direct IP Calls / Fake Calls "not" coming from the proxy

Hi, 

we have a lot of SPAM Calls incoming, resulting in Softphones ringing. 

Cause of this matter is, that the Softphone seems to accept direct ip calls. (Linphone) 

Since we cannot change the client in the near future, we have to find another solution. 

 

Since now i wasn't able to restrict due to FW-Policy Changes, or hardening of SIP-ALG Profiles. 

 

for example: 

I've tried to create a custom sip profile with "strict-register enabled" and additioally limit the incoming source-ip to the SIP-Gateway and set this to allow. In SIP-Logs i can see the fake calls matching the policy-id, even though the source IP doesn't match. 

 

If I understand this matter, i would propose to block SIP-INVITES "not" coming from the SIP-Proxy-Server. 

 

So any idea how i can perform this? 

 

Thanks

1 REPLY 1
ede_pfau
Esteemed Contributor III

There are 2 ways to do this:

1- create a policy to allow incoming SIP calls from the known proxy

2-create a policy right below blocking all incoming SIP traffic

 

or

1- create a DENY policy (action=DENY) with source address=your proxy, and edit it in the CLI:

set srcaddr-negate 
When enabled srcaddr/srcaddr6 specifies what the source address must NOT be

I think this will work from v6.0 on.

It does help in corner cases but I recommend against using this, as it is not that apparent in the GUI policy table. One regular 'ALLOW' policy should suffice, as all other traffic will be denied by the implicit DENY policy anyway. Or should be.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors