Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiVoice Cookbook

Detecting the security risks

This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.

Investigating security risks

Monitor > Log > Voice provides the window to investigate the security risks. This window displays the phone call activities between your FortiVoice unit and other PBXs. The sip authentication fails messages show the IP addresses that have failed to obtain the authentication from your FortiVoice unit. Some of these IP addresses could be security risks. Depending on the configured threshold, the FortiVoice unit blocks the IP addresses if their number of attempted logins have reached the set threshold (see Setting authentication failure parameters). Meanwhile, the alert email is sent out (see Sending alert emails).

Voice log example

Sending alert emails

  1. Go to Log & Report > Alert > Configuration.
  2. Click +New.
  3. Enter the email address.
  4. Click Create.
  5. Go to Log & Report > Alert > Category.
  6. Enable Massive SIP authentication failure.
  7. Click Apply.
  8. After receiving an alert email, you can take action. See Reviewing blocked SIP device IP addresses.

Alert email example

Setting authentication failure parameters

You can use the CLI to set the authentication failure parameters.

config security sip-authentication-failure

set threshold

set interval

set max-notification

end

CLI command

Description

config security sip-authentication-failure

Use this command to configure SIP authentication failure parameters.

set threshold

Set the threshold for blocking IP addresses from logging in to the FortiVoice phone system and sending an alert email.

The default is 50 attempted logins per minute.

set interval

Set the time interval to check the phone call activities.

The default is 60 seconds.

set max-notification

Set the maximum notification emails to send after the threshold is reached.

The default is 100.

Reviewing blocked SIP device IP addresses

The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.

For blocked IP addresses, you can select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.

For auto exempt IP addresses, you can select an IP address to delete, if you find that IP address suspicious.

To view blocked IP addresses, go to Monitor > Security > Blocked IP.

To view exempted IP addresses, go to Monitor > Security > Auto Exempt IP.

Detecting the security risks

This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.

Investigating security risks

Monitor > Log > Voice provides the window to investigate the security risks. This window displays the phone call activities between your FortiVoice unit and other PBXs. The sip authentication fails messages show the IP addresses that have failed to obtain the authentication from your FortiVoice unit. Some of these IP addresses could be security risks. Depending on the configured threshold, the FortiVoice unit blocks the IP addresses if their number of attempted logins have reached the set threshold (see Setting authentication failure parameters). Meanwhile, the alert email is sent out (see Sending alert emails).

Voice log example

Sending alert emails

  1. Go to Log & Report > Alert > Configuration.
  2. Click +New.
  3. Enter the email address.
  4. Click Create.
  5. Go to Log & Report > Alert > Category.
  6. Enable Massive SIP authentication failure.
  7. Click Apply.
  8. After receiving an alert email, you can take action. See Reviewing blocked SIP device IP addresses.

Alert email example

Setting authentication failure parameters

You can use the CLI to set the authentication failure parameters.

config security sip-authentication-failure

set threshold

set interval

set max-notification

end

CLI command

Description

config security sip-authentication-failure

Use this command to configure SIP authentication failure parameters.

set threshold

Set the threshold for blocking IP addresses from logging in to the FortiVoice phone system and sending an alert email.

The default is 50 attempted logins per minute.

set interval

Set the time interval to check the phone call activities.

The default is 60 seconds.

set max-notification

Set the maximum notification emails to send after the threshold is reached.

The default is 100.

Reviewing blocked SIP device IP addresses

The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.

For blocked IP addresses, you can select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.

For auto exempt IP addresses, you can select an IP address to delete, if you find that IP address suspicious.

To view blocked IP addresses, go to Monitor > Security > Blocked IP.

To view exempted IP addresses, go to Monitor > Security > Auto Exempt IP.