|
When nmap is initiated towards a non existing IP address on both ports 5060 and port 2000, a SYN-ACK is observed on FortiGate.
This an expected behavior when the ALG configuration is set to a proxy-based mode.
In a proxy-based policy, the TCP connection is proxied by the FortiGate. A TCP 3-way handshake can be established with the client, even though the server didn't complete the handshake, and vice versa. This behavior is anticipated, given that there is a corresponding Firewall policy in place, and the ALG is set to proxy-based.
By default, the FortiGate considers traffic using TCP port 2000 as SCCP and traffic using TCP port 5060 as SIP.
Both SCCP and SIP are inspected by ALG by default.
If the VoIP algorithm is changed to kernel-helper-based, SYNC-ACK will not be observed on FortiGate.
config system settings
set default-voip-alg-mode proxy-based * | kernel-helper-based
end
Note: if SIP and/or SCCP traffic is passing through the FortiGate and relies on SIP ALG to open pinhole and/or perform NAT, disabling this feature will most likely break VoIP traffic.
Alternatively, if VoIP inspection is necessary for SIP traffic but not for SCCP, the following can be applied:
Keep ALG settings in proxy mode:
config system settings
set default-voip-alg-mode proxy-based
end
In the VoIP profile, disable SCCP inspection. By default, the 'default' VoIP profile is used:
config voip profile
edit default
config sccp
set status disable
end
end
Similarly, if VoIP inspection is necessary for SCCP traffic but not for SIP, disable SIP inspection in voip profile:
config voip profile
edit default
config sip
set status disable
end
end
Related articles:
|
