Description
This article describes how to disable ALG for SCCP (TCP port 2000) traffic from CLI in case port 2000 is being used from another application and needs to be allowed.
In some situations, traffic via TCP port 2000 can be dropped.
Scope
FortiOS v5.2 and newer.
Solution
Starting with FortiOS v5.2, all SIP and SCCP (Skinny) traffic is processed by the VoIP ALG by default.
When there is another type of traffic that is using port 2000 (used by SCCP), this traffic will be dropped by the ALG profile.
From the debug flow, traffic will be shown sent to the application layer:
FG6H1F-1 # id=65308 trace_id=118 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=6, 10.x.x.x:64786->10.x.x.x:2000) tun_id=0.0.0.0 from port15. flag [S], seq 0, ack 0, win 0"
.
.
.
id=65308 trace_id=118 func=fw_forward_handler line=990 msg="Allowed by Policy-2: AV"
id=65308 trace_id=118 func=ip_session_confirm_final line=3111 msg="npu_state=0x40000, hook=4"
id=65308 trace_id=118 func=av_receive line=446 msg="send to application layer" <------------
This is particularly valid for Programmable logic controller(PLC) system traffic that uses port 2000.
When SCCP is NOT used in the network for VoIP, the solution is to disable ALG for port 2000(SCCP).
Below are the required commands to disable VoIP ALG for SCCP traffic
config voip profile
(profile)#edit default
(default)#config sccp
(sccp)#set status disable
(sccp)#end
(default)#end
Apply these settings to the 'default' VoIP profile, or to the VoIP profile that is used in the firewall policy. Even though the VOIP profile is not used, this behavior still persists.
When SCCP is also used in the same network for VoIP, the solution is to change the communication port, either for the server or, if not possible, for the SCCP communication. Once this port is changed in the SCCP server, it must also be changed in the FortiGate to identify this traffic:
config system settings
(settings) # set sccp-port <----- Enter an integer value from <0> to <65535> (default = <2000>).
end
