Hi!

We are having a strange behavior in our fortigate 80E firewalls, specifically in our TRANSPARENT vdom and with VoIP traffic (port 5060 and RTP). We opened a ticket with fortinet support, but so far the solution that we've received is not satisfactory.

I'll try to explain the case the best I can:

1)  We have several PBXs in the cloud, protected with fortigates 80E and 100E both in NAT and TRANSPARENT mode. 

     The problem happens in two different 80E boxes.

2) The fortis have 2 vdoms enabled, a root vdom in nat mode and another in transparent.       Here is a simplified diagram of our architecture (architecture-fortigate80.jpg):

     https://drive.google.com/file/d/1MsZ65zQGf5MdjGvblae2UWQ8OrB6E63S/view?usp=sharing

3) We see that traffic that should be blocked, is being allowed because the firewall matches it with policies that exist for other interface pairs. For example:

https://drive.google.com/file/d/1iIM9tpZX6nYc2sDqr-mFN6sGt0cmrfm2/view?usp=sharing

This has lead to attackers being able to access our servers. We've only seen this happening for SIP and RTP packets.

4) Fortinet support told us that we should set the VOIP Profile to strict.      However, we currently have sip alg disabled, since it generated all kind of problems (no audio, missing signaling packets, etc), and following that recommendation would re-enable the sip helpers, so it's currently not an option.

Besides, this happens in Transparent mode; why do the sip helpers affect the traffic in transparent mode? 

Any ideas of what could be happening and how to solve it?

Thanks in advance,

Mariana