FreePBX And Failed Security Scan (SIP UDP Transport Supported)

Hi all,
I have searched on this one in the Forums but can’t find a solution to this one, so any help would be really appreciated.

Firstly, I love FreePBX and it really got me out of a hole when I had an unexpected need for some “proper” telephony to run alongside our callcentre solution.

I am clearly not an expert in SIP or VoIP or FreePBX / Asterisk, so configuring FreePBX and getting it work through our Palo Alto firewalls has been a bumpy road.

However, it has been running great for the past 12 months and we have really had a some great, stable performance.

Recently, we had a standard external vulnerability scan run (which we do from time to time) and for the first time the report has featured an entry stating the public IP of the FreePBX system (NAT’d to our internal server IP via our firewall) has failed the scan as it says “SIP UDP Transport Supported”.

I know that SIP is used to setup the call only, and then RTP takes over for voice transport, but I wondered how difficult it would be to setup SIP only to run on TCP externally. I can see some articles about using TCP internally for extensions (we only use wired extensions) but I haven’t done this.

I was hoping that the external communication signalling could be easily switched to TCP, instead of UDP, and that I could update our firewall to only accept TCP on 5060 on the public IP, to improve security and pass the scan.

Has anyone else done this? I would really appreciate some help please.
Thanks in advance.

You can setup TCP or TLS SIP connections for your extensions. This is configured on each extension by changing the transport setting in both Freepbx and your phones. For TLS assuming you handsets support it, you will have to configure a certificate first.

Ah ok, thanks. So I configure this on the extensions only and then just turn off the UDP allow 5060 on the firewall?
I will give that a go.

Thanks again