Skip to main content
Markus_Albisser
Markus_Albisser
New Member
May 14, 2020
Solved

Fortigates replies on tcp/2000 and tcp/5060

  • May 14, 2020
  • 1 reply
  • 16870 views

Hi all

 

A new behavior came up during a penetration testing that all published application (publishing is on a Cisco ASA) replies on the tcp ports 2000 and 5060. During the investigation we figured out that not the ASA replies on them, that this is the Fortigate firewall which is sitting in front of the ASA to route the traffic between two connected Internet providers. As we don't need these ports and we don't need SIP inspection and proxy function (in our case this vDOM on our Fortigate is "only" a router and has no policies in place), our approach is to disable this behavior. All filtering/inspection should apply on the ASA firewall which is on the LAN side of the Fortigate.

 

Based on the article https://kb.fortinet.com/kb/documentLink.do?externalID=FD36152 we found that this behavior is a normal function of the Fortigate. The only option here would be to move the ports away from the standard ports to a higher port, but not to disable this function. Means the publishings still replies, no longer on the standard 2000/5060 ports but on this other higher ports.

 

We got the answer back from our provider that this is a normal behavior and that it cannot be disabled, the only "workaround" is to move the ports. Is this really true, can this not be disabled? Hard for me to believe that this would apply, but if yes, it sounds for me more that this is a bug.

 

Thank you

Markus

      Best answer by emnoc

      You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"

       

      BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0

      BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0

       

      BPSYN1 # config system settings

      BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based

      BPSYN1 (settings) # end

       

      BPSYN1 # diag sys tcpsock | grep 5060

      BPSYN1 # diag sys tcpsock | grep 2000

       

      Ken Felix

      1 reply

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      May 14, 2020

      Even to use it just a router you still need to have a set, or multiple sets, of policies to let traffic come in ingress and go out egress interface. Then one of policies likely has a voip profile enabled, which is enabling sip/sccp ALG.

      Markus_Albisser
      Markus_AlbisserAuthor
      New Member
      May 15, 2020

      Hi Toshi

       

      Many thanks to your reply. Yes, there are these policies configured with the ALG feature, of course. But my question is more how this can be disabled. Based on the answer I got from my provider this is not possible, the only workaround would be to move the ports for SIP and SKINNY to a higher port which is not the well-known port of the VoIP service. And I have the feeling that cannot be, it should be possible to disable this inspection entirely. What do you think?

       

      Thanks

      Markus

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      May 15, 2020

      Try one, or all, of below:

      1) When my 50E's "VoIP" visibility was originally disabled, under any policies I didn't see "voip-profile" even with "get | grep voip". So it was not configured at all. Only after I enabled it, I see it under policies and can't remove any more. But you could try "unset voip-profile" which clears profile name. Then disable the visibility. I don't see "voip-profile" setting any more with "get | grep voip" after that. If this works, that would be more preferable than 2).

       

      2) you can create a different voip-profile with settings like below:

      edit "no-sip-no-sccp-alg"

        config sip

          set status disable

        end

        config sccp

          config status diable

        end

      next

      Then apply this to your inbound policy.

       

      3) This is supposed to be done when you want to disable both SIP session-helper and ALG, but as the result, it would disable all ALG. So I regulary have 1) and 3) at all our FGTs in place.

      3-1) remove sip and h323 session helper under "config sys session helper" (in global incase muti-vdom env). Likely h323 is "edit 2" and sip is "edit 13". We remove both, and this change requires a reboot.

      3-2) This is depending on version. Under "config sys settings" (in a vdom)  do below:

      set sip-helper disable (only older versions, 6.2 doesn't have the setting)

      set sip-nat-trace disable

      set default-voip-alg-mode kernel-helper-based

      This part doesn't require reboot.

      Terms & ConditionsAccessibility statement