FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff
Description This article describes about how to close port TCP/UDP 5060 and TCP 2000.
   
Solution

In an environment where VoIP traffic do not need to be processed by FortiGate, for security reason,user would like FortiGate to stop listening to port TCP/UDP 5060 and TCP 2000.

 

  • TCP/UDP port 5060 as SIP protocol.
  • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

Here is the configuration change needed to meet this requirement:

 

# config system settings
  set default-voip-alg-mode kernel-helper-based
end

 

To verify if FortiGate already stops listening to those ports, run these commands:

 

Before :

 

# dia sys tcpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8535 process=175/voipd

# dia sys tcpsock | grep 2000
0.0.0.0:2000->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8530 process=175/voipd

# dia sys udpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=8534 process=175/voipd

 

After:

 

# dia sys tcpsock | grep 5060
# dia sys tcpsock | grep 2000
# dia sys udpsock | grep 5060

 

In most cases, this one command is enough.

If not, then please make these changes below:

 

# config voip profile
 edit "default"
 # config sip
   set status disable
  next
 # config sccp
   set status disable
 end
end

# config sys session-helper
 delete 13
end

 

Contributors