Technical Tip: How to use the SIP ALG to prevent unwanted calls

gmanea · ‎01-05-2016

Description
This article describes how to use the SIP ALG to prevent the ALG to open SIP pinholes for unwanted VoIP calls.
When a SIP REGISTER is going through the FortiGate with SIP ALG enabled, it will create a pinhole in the reverse direction allowing all SIP packets to be forwarded inside the network.

This applies regardless of the source address from which it originates.
This feature can be useful to connect external phones to the local PBX without creating an incoming policy.
But it can be abused by attackers, using your unauthenticated SIP server to place SIP calls.

In these cases, and if logging is enabled, a log entry can appear for incoming traffic matching an outgoing policy.

Related document:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/809/sip-pinholes

Solution
A way to secure the access to your internal PBX is to restrict the source IP of incoming calls to the SIP proxy IP address.
This can be done by setting the 'strict-register' parameter in your SIP VoIP profile settings:

# config voip profile
        edit Your_VoIP_Profile
            config sip
                  set strict-register enable
            end
        end
    end

In this way, the pinhole opened will allow only packets with source IP equal to the destination IP of the Register sent to outbound direction (in most cases it will be the SIP proxy).

From the SIP proxy, it is possible to easily control the calls wanted or not to go through to the network.

This VoIP profile afterwards has to been added to the policy, which is allowing the outgoing REGISTER from your PBX to your SIP Proxy.

# config firewall policy
    edit Your VoIP Policy
        set voip-profile "Your_VoIP_Profile"
    end
end

Add this profile on the GUI when the VoIP profile feature in the Feature Visibility is enabled:

Afterwards it will show up in the security profiles on the firewall policy: