VoIP/SIP (5.6)

VoIP/SIP (5.6)

This chapter describes new VoIP and SIP features added to FortiOS 5.6.

SIP strict-register enabled by default in VoIP Profiles (380830)

If strict-register is disabled, when REGISTER is received by a FortiGate, the source address (usually the IP address of PBX) and ports (usually port 5060) are translated by NAT to the external address of the FortiGate and port 65476. Pinholes are then opened for SIP and RTP. This tells the SIP provider to send incoming SIP traffic to the external address of the FortiGate on port 65476.

This creates a security hole since the port is open regardless of the source IP address so an attacker who scans all the ports by sending REGISTER messages to the external IP of the FortiGate will eventually have one register go through.

When strict-register is enabled (the new default) the pinhole is smaller because it will only accept packets from the SIP server.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id:

VoIP/SIP (5.6)

vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

 

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.