This article describes how to use the SIP ALG to prevent the ALG to open SIP pinholes for unwanted VoIP calls.
When a SIP REGISTER is going through the FortiGate with SIP ALG enabled, it will create a pinhole in the reverse direction allowing all SIP packets to be forwarded inside the network.
This applies regardless of the source address from which it originates.
This feature can be useful to connect external phones to the local PBX without creating an incoming policy.
But it can be abused by attackers, using your unauthenticated SIP server to place SIP calls.
In these cases, and if logging is enabled, a log entry can appear for incoming traffic matching an outgoing policy.
A way to secure the access to your internal PBX is to restrict the source IP of incoming calls to the SIP proxy IP address.
This can be done by setting the 'strict-register' parameter in your SIP VoIP profile settings:
# config voip profile
set strict-register enable
In this way, the pinhole opened will allow only packets with source IP equal to the destination IP of the Register sent to outbound direction (in most cases it will be the SIP proxy).
From the SIP proxy, it is possible to easily control the calls wanted or not to go through to the network.
This VoIP profile afterwards has to been added to the policy, which is allowing the outgoing REGISTER from your PBX to your SIP Proxy.
# config firewall policy
edit Your VoIP Policy
set voip-profile "Your_VoIP_Profile"
Add this profile on the GUI when the VoIP profile feature in the Feature Visibility is enabled: