Description
FortiGate VIPs will respond to telnet on TCP ports 5060 and 2000, if the fortigate has 'default-voip-alg-mode' set to 'proxy-based'.
# config system setting
set default-voip-alg-mode proxy-based
end
Solution
If the FortiGate VIPs are responding to telnet on TCP ports 5060 and 2000, and there is no policy to allow that traffic, most likely FortiGate has 'default-voip-alg-mode' set to "proxy-based'
# config system settings
set default-voip-alg-mode proxy-based
end
This is because, the default settings on the Fortigate is 'default-voip-alg-mode proxy-based', and in proxy-based mode, By default, FortiGate treats
• TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
• TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.
All SIP and SCCP traffic will be intercepted for inspection by VoIP ALG, so when the traffic is intercepted by ALG in fortigate, the Fortigate VIP responds to telnet on port 5060 and 2000, which shows these ports open in any port scanning activities.
To block these ports from responding to telnet requests on the VIPs, either of the two options can be selected
1) Change the default-voip-alg-mode to kernel-helper-based.
# config system setting
set default-voip-alg-mode kernel-helper-based
end
If set to kernel-helper-based, the SIP session helper is used for SIP traffic (and SIP ALG is not used), and SCCP traffic is not processed.
2) Disable SIP and SCCP ALG in the default VoIP profile.
# config voip profile
edit "default"
config sip
set status disable
end
config sccp
set status disable
end
next
end
