Detecting the security risks
This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.
Investigating security risks
Monitor > Log > Voice provides the window to investigate the security risks. This window displays the phone call activities between your FortiVoice unit and other PBXs. The sip authentication fails messages show the IP addresses that have failed to obtain the authentication from your FortiVoice unit. Some of these IP addresses could be security risks. Depending on the configured threshold, the FortiVoice unit blocks the IP addresses if their number of attempted logins have reached the set threshold (see Setting authentication failure parameters). Meanwhile, the alert email is sent out (see Sending alert emails).
Voice log example
Sending alert emails
- Go to Log & Report > Alert > Configuration.
- Click +New.
- Enter the email address.
- Click Create.
- Go to Log & Report > Alert > Category.
- Enable Massive SIP authentication failure.
- Click Apply.
- After receiving an alert email, you can take action. See Reviewing blocked SIP device IP addresses.
Alert email example
Setting authentication failure parameters
You can use the CLI to set the authentication failure parameters.
config security sip-authentication-failure
set threshold
set interval
set max-notification
end
CLI command |
Description |
---|---|
config security sip-authentication-failure |
Use this command to configure SIP authentication failure parameters. |
set threshold |
Set the threshold for blocking IP addresses from logging in to the FortiVoice phone system and sending an alert email. The default is 50 attempted logins per minute. |
set interval |
Set the time interval to check the phone call activities. The default is 60 seconds. |
set max-notification |
Set the maximum notification emails to send after the threshold is reached. The default is 100. |
Reviewing blocked SIP device IP addresses
The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.
For blocked IP addresses, you can select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.
For auto exempt IP addresses, you can select an IP address to delete, if you find that IP address suspicious.
To view blocked IP addresses, go to Monitor > Security > Blocked IP.
To view exempted IP addresses, go to Monitor > Security > Auto Exempt IP.