Good morning,
My question is probably more of theory nature:
Our customer is using Proxy IP telephony provider. For that we had to configure Custom Service to communicate with the provider. Recently our customer started receiving multiple spam calls directly to their softphones. Together with Fortigate support we found a misconfiguration in the Custom service /firewall policy pair and spam calls have stopped.
Before that, I could see a lot of connected sessions to the ports used by telephony service providers from the attacking IP's random ports. Now, I don't see those any more. BUT when I start a sniffer, I still see packets from same IP with SIP INVITES hitting my external interface: the output looks like this:
I am not good in interpreting the sniffer data yet so I am not sure of what I am I looking at.
Since the Forti View session does not show any sessions established from these IP's, and there is nothing on the external ports from the sniffer data, is it correct to say, that those connection attempts are dropped by the firewall policy?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi AndrArt,
Yes, it could mean that packets are getting dropped by the firewall policy in place.
You can have a better understanding of how FGT is dealing with packets by using the following commands:
diag de flow filter addr x.x.x.x
diag de flow trace start 1000
diag de en
Replace x.x.x.x with one of the source addresses that you are blocking.
More details on filters here:
You will see how FGT is dealing with that traffic.
Hope this helps.
Regards,
Shahan Agha
Hi AndrArt,
Yes, it could mean that packets are getting dropped by the firewall policy in place.
You can have a better understanding of how FGT is dealing with packets by using the following commands:
diag de flow filter addr x.x.x.x
diag de flow trace start 1000
diag de en
Replace x.x.x.x with one of the source addresses that you are blocking.
More details on filters here:
You will see how FGT is dealing with that traffic.
Hope this helps.
Regards,
Shahan Agha
Hi sagha,
Thank you for the explanation and guidance this was really helpful. The debug flow shows that the incoming packets do not hit the SIP communication rule, and are dropped by the implicit deny rule.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.