The following KB article can be followed to close ports TCP/UDP 5060 and TCP 2000: Technical Tip: How to close port TCP/UDP 5060 and TCP 2000

Post closing the ports there are scenarios where port shows open via telnet or from public port checking websites.

Verify this by taking a sniffer on the FortiGate for port 2000.

FortiGate ports are blocked if we notice only the SYN packet and a 3-way handshake not being completed. Even though sniffers confirm handshake is not complete,the port would still be visible as open. In this scenario, NMAP is used which shows the port open below:

NMAP Results
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-26 18:31 India Standard Time
Nmap scan report for 10.5.24.59
Host is up (0.10s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
541/tcp open uucp-rlogin
2000/tcp open cisco-sccp
5060/tcp open sip

Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds

NMAP shows the port open however tracert details from PC show destination is 7 hops away:

PS C:\Users\rba> tracert 10.5.56.59

Tracing route to 10.5.56.59 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.32.22.1
2 <1 ms <1 ms <1 ms 10.32.12.1
3 <1 ms <1 ms <1 ms 10.32.12.9
4 <1 ms <1 ms <1 ms 10.32.255.1
5 265 ms 263 ms 263 ms 10.172.53.2
6 133 ms 136 ms 133 ms 129-10.83-90.static-ip.oleane.fr [90.83.10.129]
7 133 ms 133 ms 133 ms 10.5.56.59

Packet capture on the source would show the TCP 3-way handshake as complete:

The destination is 7 hops away but still in the user PC capture if MAC is different and also TTL 64(in this case).

The TTL field is decremented by each intervening IP router or hop. Based on the TTL count, it is possible to confirm packet originated closer to the source or from one of the hops that is spoofing the response than the original destination.

Hop can be identified by initiating a traceroute. Nmap or any other tool can be used to do this if its traffic is limited to one port.