I've recently made a rather shocking discovery with a Fortigate at a customer that was allowing unsolicited inbound connections on an outbound only SIP policy. I've had a lot of back and forth with Fortinet support and they have confirmed that this is the default and expected behaviour! :wtf: They are also happy to point you at the documentation that states this (the things one discovers after the fact). I would personally expect a security company to be locking things down so a customer can knowingly open up what they need. After more digging I discovered this behaviour at another customer as well so attackers are already exploiting it. Fortinet really should be alerting their customers and changing their default setting IMO, but until then there is MBB. 
To replicate the problem:
To replicate the problem:
- FortiOS 5.2.9
- Ensure you've Disabled the SIP Helper (which coincidentally has the same problem, which is why it was disabled in FortiOS 5.2)
- Create an outbound policy from your PBX on the LAN to a SIP server on the internet. Make the rule as specific as possible by specifying both the source and destination along with your required port (UDP 5060, 10000-20000 or whatever your RTP ports are). Apply the default strict VoIP policy to this outbound rule.
- Monitor your PBX for failed logins sourced from the general internet.
- On the Fortigate CLI you will see inbound connections hitting the random high port created by the outbound connection
- Edit the strict VoIP policy on the CLI and enable strict-register.
- FD38168
- SIP for FortiOS 5.2 (pg 71-73)
