|
In this scenario, the user has upgraded a FortiGate from v7.0.12 to v7.2.7, which impacted the application traffic on port 2000.
In the user configuration in v7.0.12, the default-voip-alg-mode was set to proxy-based.
config system settings
set default-voip-alg-mode proxy-based <- It will only show after running 'show full system settings'.
end
Consider the following points:
-
If the default-voip-alg-mode is set to proxy-based, FortiGate implicitly applies 'set voip-profile default' to all firewall policies that do not explicitly have a VoIP profile set.
-
In v7.0.X, the IPS engine inspects flow-based SIP/SCCP traffic. However, in v7.2.5 onwards, SIP/SCCP traffic is inspected by the proxy-based VoIPD daemon if the feature-set under the VoIP profile is set to VoIPD (this is the default setting). See this document: IPS-based and voipd-based VoIP profiles.
-
By default, FortiGate considers traffic on TCP port 2000 as SCCP traffic.
Using the debug flow tool, it is possible to confirm: Technical Tip: Session flags and inspection mode (proxy-based inspection) even without using any type of inspection in the firewall policy.
id=65308 trace_id=238 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, 192.168.1.10:51362->192.168.2.10:2000) tun_id=0.0.0.0 from VLAN1. flag [S], seq 1809234287, ack 0, win 65535"
id=65308 trace_id=238 func=init_ip_session_common line=6047 msg="allocate a new session-08849dce"
id=65308 trace_id=238 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via VLAN2"
id=65308 trace_id=238 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=62, len=3"
id=65308 trace_id=238 func=fw_forward_handler line=990 msg="Allowed by Policy-1: AV"
id=65308 trace_id=238 func=ip_session_confirm_final line=3110 msg="npu_state=0x0, hook=4"
id=65308 trace_id=238 func=av_receive line=446 msg="send to application layer"
In v7.2.7, when default-voip-alg-mode is set to proxy-based, FortiGate inspects the traffic, and it is not possible to access the remote server on TCP port 2000. An attempt was made to access a server using https://w.x.y.z:2000 from a local workstation web browser.
However, in v7.2.7, when default-voip-alg-mode is set to kernel-helper-based, it is possible to access the remote server on TCP port 2000.
The following settings resolved the issue:
- Disable SIP-ALG.
config system settings
set default-voip-alg-mode kernel-helper-based
end
- Alternatively, if VoIP inspection is necessary for SIP traffic, the following can be applied:
Keep ALG settings in proxy mode:
config system settings
set default-voip-alg-mode proxy-based
end
In the VoIP profile, disable SCCP inspection. By default, the 'default' VoIP profile is used:
config voip profile
edit default
config sccp
set status disable <<<<
end
end
- Change the SCCP port to something other than 2000.
config system settings
(settings) # set sccp-port <> <----- Enter an integer value from <0> to <65535> (default = <2000>).
end
Related articles:
Technical Tip: How to disable ALG for SCCP traffic to allow TCP port 2000
Troubleshooting Tip: The application is running on a port that is already in use on the FortiGate fo...
|
