Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
emilec
New Contributor

SIP ALG default behaviour exposes internal SIP server

A customer with a SIP enabled PBX server behind a Fortigate (5.2.9) with an outbound only policy to allow connection to an external SIP provider recently experienced VoIP fraud. Upon investigating and opening a ticket with Fortinet support it was discovered that SIP ALG will allow unsolicited connections in on port 5060.

 

You can replicate this yourself:

[ul]
  • Disable SIP helper
  • Setup an outbound policy from the PBX behind the Fortigate to a SIP provider on the internet. You can lock the policy down to just the target ports (UDP 5060 & RTP ports).
  • Apply the default strict VoIP policy to this outbound rule.
  • Once the PBX successfully connects to the external provider you can scan the external interface of the Fortigate and it will show port 5060 as open. Unsolicited requests made to 5060 will be forwarded to the internal PBX.
  • Note: There are no Virtual IP or Port forwards in place. There is just a single outbound policy rule.[/ul]

    As per Fortinet support this is the default and expected behaviour. I tried at length to explain to them that allowing unsolicited inbound connections in on an outbound isn't acceptable. They referred me to the documentation which states:

     

    When register is going through the FortiGate with SIP ALG enabled; it will create a pinhole in the reverse direction allowing all SIP packets to be forwarded inside the network; whatever the source address it comes from. The pinhole created will skip the firewall checking in the reverse direction. Because of this, there is no way to filter some IP addresses.

     

    This fix is to enable strict-register.

     

    I really believe Fortinet need to change this default behaviour. Already since my original ticket I've heard of another Foritigate owner who lost USD$20000 in VoIP fraud due to this. Of course customers should also do more to secure their PBX, but who expects unsolicited inbound connections on an outbound policy?

     

    You can read more here:

    [ul]
  • FD38168
  • SIP for FortiOS 5.2 (page 71-73)[/ul]

     

     

  • 0 REPLIES 0
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors