FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff
Staff
Article Id 191898

Description

 

This article describes how to disable ALG for SCCP (TCP port 2000) traffic from CLI in case port 2000 is being used from another application and needs to be allowed.

In some situations, traffic via TCP port 2000 can be dropped.

 

Scope

 

FortiOS 5.2 and newer.

Solution

 

Starting with FortiOS 5.2, all SIP and SCCP (Skinny) traffic is processed by the VoIP ALG by default.

When there is another type of traffic that is using port 2000 (used by SCCP), this traffic will be dropped by the ALG profile.

This is particularly valid for Programmable logic controller(PLC) system traffic that uses port 2000.

 

When SCCP is NOT used in the network for VoIP, the solution is to disable ALG for port 2000(SCCP).

Below are the required commands to disable VoIP ALG for SCCP traffic 

 

config voip profile
(profile)#edit default
(default)#config sccp
(sccp)#set status disable
(sccp)#end
(default)#end

 

Apply these settings to the 'default' VoIP profile, or to the VoIP profile that is used in the firewall policy.

 

When SCCP is also used in the same network for VoIP, the solution is to change the communication port, either for the server or, if not possible, for the SCCP communication. Once this port is changed in the SCCP server, it must also be changed in the FortiGate, to identify this traffic:

 

 

config system settings
(settings) # set sccp-port <----- Enter an integer value from <0> to <65535> (default = <2000>).
end