Created on 11-23-2021 10:38 PM Edited on 07-07-2023 01:27 AM By Jean-Philippe_P
Description | This article describes how to close ports TCP/UDP 5060 and TCP 2000. |
Scope | FortiGate. |
Solution |
In an environment where VoIP traffic does not need to be processed by FortiGate (no SIP/SCCP calls through FortiGate), the admin would like to close these ports on FortiGate for security reasons.
To make FortiGate stop listening to ports TCP/UDP 5060 and TCP 2000, follow the following guide:
Here is the configuration change needed to meet this requirement.
This disables SIP-ALG, and will use SIP session helper:
config system settings
If having Multi-VDOM, disable SIP-ALG on all respective VDOM :
config vdom
To verify if the FortiGate already stops listening to those ports, run these commands:
Before:
dia sys tcpsock | grep 5060
dia sys tcpsock | grep 2000
dia sys udpsock | grep 5060
After:
dia sys tcpsock | grep 5060
If the FortiGate passes SIP traffic and needs to process it (for example on another port), the recommended action is only to alter the default VOIP profile (previous commands not to be used):
config voip profile config sccp end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.