The FortiVoice unit automatically blocks the IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set. For more information on configuring security settings, see Configuring intrusion detection.
For blocked IPs, you may select an IP to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.
For auto exempt IPs, you may select an IP to delete it if you find it suspicious.
To view the blocked IPs, go to Monitor > Security > Blocked IP.
To view the exempted IPs, go to Monitor > Security > Auto Exempt IP.
You can use the CLI to set the threshold for blocking IPs and sending alert email (the default is 50 attempted logins per minute), the time interval to check the phone call activities (the default is 60 seconds), and the maximum notification emails to send after the threshold is reached (the default is 100).
config security sip-authentication-failure