Technical Tip: How to close port TCP/UDP 5060 and TCP 2000

Port 2000 is the default port used by the Cisco SCCP protocol for VoIP calls.

Port 5060 is the default port used by the SIP protocol for VoIP calls.

Both of these ports can be changed from their defaults in their corresponding application.

FortiGate needs these ports open if it is expected to pass VoIP calls to the clients.

There are two situations treated in this article.

Case A: When FortiGate does not handle VoIP, and both 5060 and 2000 need to be closed.

Case B: When FortiGate handles SIP (port 5060), and only port 2000 needs to be closed.

Case A:

In an environment where VoIP traffic does not need to be processed by FortiGate (no SIP/SCCP calls through FortiGate), the admin would like to close these ports on FortiGate for security reasons. Closing these ports on FortiGate may also prevent calls from establishing correctly.

To make FortiGate stop listening to ports TCP/UDP 5060 and TCP 2000, follow the following guide:

Disable SIP-ALG (disables port 2000 and port 5060 in proxy-mode), and delete SIP session-helper (disables port 5060 in flow mode):

config system settings
    set default-voip-alg-mode kernel-helper-based 
end

config sys session-helper
    delete 13
end

In multi-VDOM FortiGates, SIP-ALG can be disabled per VDOM:

config vdom
    edit VDOM-A
        config system settings
            set default-voip-alg-mode kernel-helper-based
        end
    next
    edit VDOM-B
        config system settings
            set default-voip-alg-mode kernel-helper-based
        end

Either clear the sessions or reboot the FortiGate to ensure that the changes take effect.
To clear the sessions, first apply a filter for the control sessions on port 5060:

diagnose sys session filter dport 5060

Then clear the filtered sessions:

diagnose sys session clear

Note that 'diagnose sys session clear' will clear all sessions unless a session filter is applied beforehand. Clearing all sessions may interrupt live traffic.
As an alternative, the FortiGate can be rebooted using either the GUI or the CLI. The CLI command is:

execute reboot

Rebooting the FortiGate is often recommended by TAC, as stale sessions may occasionally remain on the device.

Case B:

If the FortiGate passes SIP traffic and needs to process it (for example, on another port), the recommended action is to disable SCCP by altering the default VOIP profile (previous commands not to be used):

config voip profile
    edit "default"

        config sccp
            set status disable
        end

end

Verification:

To verify if the FortiGate stopped listening on those ports, the following commands are used.

Before:

diagnose sys tcpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8535 process=175/voipd

diagnose sys tcpsock | grep 2000
0.0.0.0:2000->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8530 process=175/voipd

diagnose sys udpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=8534 process=175/voipd

After:

diagnose sys tcpsock | grep 5060
diagnose sys tcpsock | grep 2000
diagnose sys udpsock | grep 5060

If active connections are still present when filtering any tcpsock connection, verify the port number as below:

diagnose sys tcpsock | grep 5060
0.0.0.0:2060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=506089 process=175/voipd

In this case, the open port is 2060, but this result is listed because the 'grep' command matches the 5060 value from a different field (inode=506089).

This command can improve the filtering results, limiting them to the port number:

diagnose sys tcpsock | grep ':5060'

Note:

These ports will remain active on secondary IPs (if configured), unless SIP-ALG is disabled.