I'm wondering if anyone has encountered this before and hope this is a proper section to post this, mods if this is wrong appreciate some help to shift it to the correct forum section.
We've installed a Fortigate 90D for our client and their IP phone vendor left SIP - 5060 open - we're hoping to remap this to a different port soon.
They require this port open for their soft phones to connect back to office when on the go.
Of late, I've been noticing probes (both mild and intensive) to this port - their IP Phone system had already previously been broken into once making a large amount of IDD calls - subsequently - blocked by the phone company (prior to the 90D).
I'm wondering whether is there any way i can block based on the "unknown-12" application detection by Fortigate, since the IP is randomized, its pretty hard to block/prevent all probes.
IPS has been enabled on this firewall ruleset but unable to pickup anything.
All probes go to port 5060/UDP.
Have attached a part of the log.
hi,
every AppCtrl sensor includes 2 default "patterns" at the end:
- all other known apps
- all other unknown apps
Default action is 'monitor', that is, log and accept.
If you guide the SIP traffic over a policy of it's own (using udp/5060 or the destination address) you could try to block 'all other unknown' apps as this policy is meant to allow SIP only. You just have to make sure that you won't block wanted unknown traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.