The content you are looking for has been archived. View related content below.
Created on 09-20-2019 07:08 AM Edited on 03-07-2024 01:18 AM By Jean-Philippe_P
Description
This article describes how to disable ALG for SCCP (TCP port 2000) traffic from CLI in case port 2000 is being used from another application and needs to be allowed.
In some situations, traffic via TCP port 2000 can be dropped.
Scope
FortiOS 5.2 and newer.
Solution
Starting with FortiOS 5.2, all SIP and SCCP (Skinny) traffic is processed by the VoIP ALG by default.
When there is another type of traffic that is using port 2000 (used by SCCP), this traffic will be dropped by the ALG profile.
This is particularly valid for Programmable logic controller(PLC) system traffic that uses port 2000.
When SCCP is NOT used in the network for VoIP, the solution is to disable ALG for port 2000(SCCP).
Below are the required commands to disable VoIP ALG for SCCP traffic
config voip profile
(profile)#edit default
(default)#config sccp
(sccp)#set status disable
(sccp)#end
(default)#end
Apply these settings to the 'default' VoIP profile, or to the VoIP profile that is used in the firewall policy.
When SCCP is also used in the same network for VoIP, the solution is to change the communication port, either for the server or, if not possible, for the SCCP communication. Once this port is changed in the SCCP server, it must also be changed in the FortiGate, to identify this traffic:
config system settings
(settings) # set sccp-port <----- Enter an integer value from <0> to <65535> (default = <2000>).
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.