Fortinet black logo

FortiVoice Cookbook

Detecting the security risks

Copy Link
Copy Doc ID dfaa7c27-de85-11eb-97f7-00505692583a:851918
Download PDF

Detecting the security risks

This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.

Monitor > Log > Voice provides the window to investigate the security risks. It displays the phone call activities between your FortiVoice unit and other PBXes. The "sip authentication fails" messages shows the IP addresses that have failed to obtain the authentication from your FortiVoice unit and some of these IP addresses might be security risks. Depending on the configured threshold, the FortiVoice unit will block the IP addresses if their number of attempted logins have reached the set threshold. Meanwhile, the alert email is sent out. See Setting the authentication failure parameters.

Voice log example:

To send alert emails, enter the email address in Log & Report > Alert > Configuration and enable the Massive SIP authentication failure option in Log & Report > Alert > Category.

You may take actions after receiving an alert email. See Reviewing blocked SIP device IP addresses.

Alert email example:

Setting the authentication failure parameters

You can use the CLI to set the authentication failure parameters.

config security sip-authentication-failure

set threshold

set interval

set max-notification

end

CLI command

Description

config security sip-authentication-failure

Use this command to configure SIP authentication failure parameters.

set threshold

Set the threshold for blocking IP addresses from logging in to the FortiVoice Phone System and sending an alert email. The default is 50 attempted logins per minute.

set interval

Set the time interval to check the phone call activities.

The default is 60 seconds.

set max-notification

Set the maximum notification emails to send after the threshold is reached.

The default is 100.

Reviewing blocked SIP device IP addresses

The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.

For blocked IP addresses, you may select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.

For auto exempt IP addresses, you may select an IP address to delete it if you find it suspicious.

To view the blocked IP addresses, go to Monitor > Security > Blocked IP.

To view the exempted IP addresses, go to Monitor > Security > Auto Exempt IP.

Detecting the security risks

This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.

Monitor > Log > Voice provides the window to investigate the security risks. It displays the phone call activities between your FortiVoice unit and other PBXes. The "sip authentication fails" messages shows the IP addresses that have failed to obtain the authentication from your FortiVoice unit and some of these IP addresses might be security risks. Depending on the configured threshold, the FortiVoice unit will block the IP addresses if their number of attempted logins have reached the set threshold. Meanwhile, the alert email is sent out. See Setting the authentication failure parameters.

Voice log example:

To send alert emails, enter the email address in Log & Report > Alert > Configuration and enable the Massive SIP authentication failure option in Log & Report > Alert > Category.

You may take actions after receiving an alert email. See Reviewing blocked SIP device IP addresses.

Alert email example:

Setting the authentication failure parameters

You can use the CLI to set the authentication failure parameters.

config security sip-authentication-failure

set threshold

set interval

set max-notification

end

CLI command

Description

config security sip-authentication-failure

Use this command to configure SIP authentication failure parameters.

set threshold

Set the threshold for blocking IP addresses from logging in to the FortiVoice Phone System and sending an alert email. The default is 50 attempted logins per minute.

set interval

Set the time interval to check the phone call activities.

The default is 60 seconds.

set max-notification

Set the maximum notification emails to send after the threshold is reached.

The default is 100.

Reviewing blocked SIP device IP addresses

The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.

For blocked IP addresses, you may select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.

For auto exempt IP addresses, you may select an IP address to delete it if you find it suspicious.

To view the blocked IP addresses, go to Monitor > Security > Blocked IP.

To view the exempted IP addresses, go to Monitor > Security > Auto Exempt IP.