My question is probably more of theory nature:
Our customer is using Proxy IP telephony provider. For that we had to configure Custom Service to communicate with the provider. Recently our customer started receiving multiple spam calls directly to their softphones. Together with Fortigate support we found a misconfiguration in the Custom service /firewall policy pair and spam calls have stopped.
Before that, I could see a lot of connected sessions to the ports used by telephony service providers from the attacking IP's random ports. Now, I don't see those any more. BUT when I start a sniffer, I still see packets from same IP with SIP INVITES hitting my external interface: the output looks like this:
I am not good in interpreting the sniffer data yet so I am not sure of what I am I looking at.
Since the Forti View session does not show any sessions established from these IP's, and there is nothing on the external ports from the sniffer data, is it correct to say, that those connection attempts are dropped by the firewall policy?