|
In an environment where VoIP traffic does not need to be processed by FortiGate (no SIP/SCCP calls through FortiGate), the admin would like to close these ports on FortiGate for security reasons.
To make FortiGate stop listening to ports TCP/UDP 5060 and TCP 2000, follow the following guide:
- TCP/UDP port 5060 as SIP protocol.
- TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.
Here is the configuration change needed to meet this requirement.
This disables SIP-ALG, and will use SIP session helper:
config system settings
set default-voip-alg-mode kernel-helper-based
end
If having Multi-VDOM, disable SIP-ALG on all respective VDOM :
config vdom
edit VDOM-A
config system settings
set default-voip-alg-mode kernel-helper-based
end
next
edit VDOM-B
config system settings
set default-voip-alg-mode kernel-helper-based
end
This further deletes the SIP session helper so it is not used:
config sys session-helper
delete 13
end
To verify if the FortiGate already stops listening to those ports, run these commands:
Before:
dia sys tcpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8535 process=175/voipd
dia sys tcpsock | grep 2000
0.0.0.0:2000->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=8530 process=175/voipd
dia sys udpsock | grep 5060
0.0.0.0:5060->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=8534 process=175/voipd
After:
dia sys tcpsock | grep 5060
dia sys tcpsock | grep 2000
dia sys udpsock | grep 5060
If the FortiGate passes SIP traffic and needs to process it (for example on another port), the recommended action is only to alter the default VOIP profile (previous commands not to be used):
config voip profile
edit "default"
config sip
set status disable
next
config sccp
set status disable
end
end
|
