SIP Profile with Strict Security mode enabled will have SIP traffic from unregistered SIP User Agent being filtered in the IP firewall, with the exception of SIP REGISTER message. After a successful registration, source IP of the UA is whitelisted, which means future SIP traffic from this UA will bypass the firewall.
This feature can be selectively configurable for each SIP Profile. You can turn on Strict Security on external SIP Profile and leaving it disabled on all internal SIP Profiles where security is less of a concern.
All SIP messages from IPs in ACL list for inbound will bypass Strict Security. If you have Strict Security enabled and you have SIP Trunks, the SIP Trunk IP must be included in the ACL list for inbound for that SIP Profile. Otherwise, SIP OPTIONS pings will be filtered.
This feature has a limitation with multiple UAs using the same source IP or UAs behind NAT. These UAs use the same source IP to send SIP Messages to the SBC, as a result, we cannot individually restrict their SIP traffic flow. If Strict Security mode is enabled, the source IP for these UAs must be listed in inbound ACL to ensure normal SIP signalling operation for all these UAs.