Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎11-23-2021 10:38 PM Edited on ‎03-17-2025 06:49 AM By Moderator

Article Id 199340

Technical Tip: How to close port TCP/UDP 5060 and TCP 2000

Description This article describes how to close ports TCP/UDP 5060 and TCP 2000.
Scope FortiGate.
Solution

In an environment where VoIP traffic does not need to be processed by FortiGate (no SIP/SCCP calls through FortiGate), the admin would like to close these ports on FortiGate for security reasons.

 

To make FortiGate stop listening to ports TCP/UDP 5060 and TCP 2000, follow the following guide:

 

  • TCP/UDP port 5060 as SIP protocol.
  • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

Here is the configuration change needed to meet this requirement.

 

This disables SIP-ALG, and will use SIP session helper:

 

config system settings
    set default-voip-alg-mode kernel-helper-based 
end

 

If having Multi-VDOM, disable SIP-ALG on all respective VDOM :

 

config vdom
    edit VDOM-A
        config system settings
            set default-voip-alg-mode kernel-helper-based
        end
    next
    edit VDOM-B
        config system settings
            set default-voip-alg-mode kernel-helper-based
        end


This further deletes the SIP session helper so it is not used:


config sys session-helper
    delete 13
end

 

To verify if the FortiGate already stopped listening to those ports, run these commands:

 

Before:

 

dia sys tcpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8535 process=175/voipd

 

dia sys tcpsock | grep 2000
0.0.0.0:2000->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8530 process=175/voipd

 

dia sys udpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=8534 process=175/voipd

 

After:

 

dia sys tcpsock | grep 5060
dia sys tcpsock | grep 2000
dia sys udpsock | grep 5060

 

If the active connections are still presents when filtering any tcpsock connection, verify the port number :

Example:

 

dia sys tcpsock | grep 5060
0.0.0.0:2060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=506089 process=175/voipd

 

Though the port number is 2060, can see the value as listening port as the 'grep' command matching any value with 5060 from the above example, inode value 506089.

 

Use the below command to be more specific with the port number :

 

diagnose sys tcpsock | grep ':5060'

 

If the FortiGate passes SIP traffic and needs to process it (for example on another port), the recommended action is only to alter the default VOIP profile (previous commands not to be used):

 

config voip profile
    edit "default"
        config sip
            set status disable
            next

                config sccp
                    set status disable
                end

        end

 

Note:

If SIP-ALG is enabled in some cases communication between devices behind the Firewall will work (For Example Traffic). But if the device is using any application listening on port 2000, this connection will not work. 

 

Labels:
23286
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.