Configuring additional settings
In order to provide another level of protection beyond external abuse, there are a number of settings that you can enable to protect the FortiVoice phone system from internal abuse.
This recipe includes the following settings:
- Call restrictions and common phones
- Interface access
- Guest provision protocol
- Prohibited prefixes
- Trusted hosts for administrators
- Trusted hosts for extensions
- Unused administrators
- Unused extensions
- Verify SIP user agent
- Blocking numbers
- Unassigned phones
Call restrictions and common phones
Restrictions can be put in place based on call types, such as blocking international or toll calls.
- Go to Security > User Privilege > User Privilege.
- Select a user privilege and click Edit.
- Expand Call Restriction and configure the settings accordingly.
Extensions that are placed in common areas, such as store floors and kitchens, should have the highest restriction levels, which include a PIN code to make calls.
- Set the appropriate call restriction to Allowed with Account Code, Allowed with Personal Code, or Allowed with Account and Personal Code.
Interface access
Any access methods that are not being used on the FortiVoice device should be disabled.
- Go to System > Network > Network.
- Select an interface and click Edit.
- Under Advanced Setting, disable any unused Access protocols.
Guest provision protocol
Using HTTPS to provision FortiFone devices with FortiVoice is recommended.
- Go to System > Advanced > Auto Provisioning.
- Under Auto Provisioning, set Provisioning protocol to HTTPS.
Prohibited prefixes
You may want to outright block certain phone number prefixes, such as 900 (blocked by default) which is commonly used for premium-rate calls, or phone calls with area codes originating from certain regions.
- Go to Phone System > Setting > Option.
- Under Number Management, add all undesirable prefixes to the System prohibited prefix section.
Trusted hosts for administrators
Certain IP subnets can be designated as allowed or trusted for administrators to log into FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.
- Go to System > Administrator > Administrator.
- Select the administrator and click Edit.
- Set Trusted hosts type to the local trusted IP subnet (define as many as required) or RFC 1918 predefine.
Trusted hosts for extensions
Certain IP subnets can also be designated as trusted for extensions to register to FortiVoice. This configuration can allow local networks to access the system but restrict remote access to the system and restrict remote access to the system.
- Go to Phone System > Profile > User Privilege.
- Select a user privilege and click Edit.
- Expand Advanced Setting, and set Trusted hosts to the local trusted IP subnet (define as many as required).
Unused administrators
Remove administrator profiles that are not in use.
- Go to System > Administrator > Administrator.
- Select the administrators that are not active and click Delete.
Unused extensions
To avoid the unintentional use of unused extensions, remove those extensions.
- Go to Extension > Extension > IP Extension.
- Disable the extensions that are not active.
Verify SIP user agent
Restrict phone registration so only phone requests that match the system configured phone type are allowed.
- Go to Dashboard > Console and click inside the window to connect to the CLI console.
- Enter the following commands:
config system sip-setting
set verify-user-agent enable
end
Blocking numbers
If you find any extension has been suffering from attacks by other devices, you may block it to stop the attacks.
- Go to Security > Blocked Number.
- Click New.
- Enter the extension you want to block.
- Click Create.
- To unblock a number, select it in the list and click Delete.
Unassigned phones
If you find the number of phones that are auto discovered but have not been assigned extensions are abnormally high, it may mean the FortiVoice unit is under MAC address flooding attack and its performance will be compromised. You can remove the phones.
- Go to Dashboard > Status.
- At the bottom of System Information, find Phones not assigned.
- Click the Remove all not assigned phones icon to delete the phones as required.