Troubleshooting Tip: Port 5060 and port 2000 receives getting a SYN-ACK from FortiGate when nmap is initiated toward a non existing IP address

When nmap is initiated towards a non existing IP address on both ports 5060 and port 2000, a SYN-ACK is observed on FortiGate.

This an expected behavior when the ALG configuration is set to a proxy-based mode.

In a proxy-based policy, the TCP connection is proxied by the FortiGate. A TCP 3-way handshake can be established with the client, even though the server didn't complete the handshake, and vice versa. This behavior is anticipated, given that there is a corresponding Firewall policy in place, and the ALG is set to proxy-based.

If the VoIP algorithm is changed to kernel-helper-based, SYNC-ACK will not be observed on FortiGate

config system settings

set default-voip-alg-mode proxy-based * | kernel-helper-based

end

Related articles:

• Technical Tip: Portscan false positive.
• Technical Note: Service Processor (SP), SYN proxy.
• Technical Tip: Changes in SIP ALG's behavior after upgrading in v7.0 or v7.2 GA versions.