Blocking SIP request messages
You may want to block different types of SIP requests:
- to prevent SIP attacks using these messages.
- If your SIP server cannot process some SIP messages because of a temporary issue (for example a bug that crashes or compromises the server when it receives a message of a certain type).
- Your SIP implementation does not use certain message types.
When you enable message blocking for a message type in a VoIP profile, whenever a security policy containing the VoIP profile accepts a SIP message of this type, the SIP ALG silently discards the message and records a log message about the action.
Use the following command to configure a VoIP profile to block SIP CANCEL and Update request messages:
config voip profile
edit VoIP_Pro_Name
config sip
set block-cancel enable
set block-update enable
end
end
SIP uses a variety of text-based messages or requests to communicate information about SIP clients and servers to the various components of the SIP network. Since SIP requests are simple text messages and since the requests or their replies can contain information about network components on either side of the FortiGate, it may be a security risk to allow these messages to pass through.
The following table lists all of the VoIP profile SIP request message blocking options. All of these options are disabled by default.
Blocking SIP OPTIONS messages may prevent a redundant configuration from operating correctly. See Supporting geographic redundancy when blocking OPTIONS messages for information about resolving this problem. |
Options for blocking SIP request messages
SIP request message | SIP message blocking CLI Option |
---|---|
ACK | block-ack |
BYE | block-bye |
Cancel | block-cancel |
INFO | block-info |
INVITE | block-invite |
Message | block-message |
Notify | block-notify |
Options | block-options |
PRACK | block-prack |
Publish | block-publish |
Refer | block-refer |
Register | block-register |
Subscribe | block-subscribe |
Update | block-update |