I am facing wearied scenario. We are having a SIP gateway in DMZ, yesterday I have observed malicious traffic hitting SIP gateway from the 212.x.x.209 IP. I immediately Banned this IP in firewall so that traffic get denied on firewall itself but it is getting passed intermediately.
Malicious traffic is coming from all banned IP's but I don't understand why it was getting allowed intermediately?
This issue is related to SIP traffic. We are having Fortigate 100D with firmware v5.6.4
PFA the banned IP list and logs so that you can understand the scenario clearly.
Kindly help me to understand this.
Best Answer
You need to check the Forward Traffic log for which policy is applied for the accepted connections. If you don't see the policy column you need to add it to the display.
Policies are applied in strict order, first match from top to bottom is applied. Likely, you need to resort your policies or refine a previous ACCEPT policy that's too wide.
For a SIP gateway connection I'd accept only the single defined IP address or subnet that it's located on.