Small office with a few Polycom phones from the local cable company.
No policies allowing incoming traffic from WAN1 but I see traffic like below.
wan1 in 68.35.27.144.5060 -> 24.49.187.25.65476: udp 540
internal out 68.35.27.144.5060 -> 10.88.1.18.5060: udp 532
The Fortinet receives packets on udp 65476 and the phone rings. 10k fake calls in a week.
I was able to replicate this with the sipp utility on Linux.
sipp 24.59.187.25:65476 (This makes the phone ring)
The option below appears to have stopped the calls.
config system settings
set sip-helper disable
