Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
upatel
Staff
Staff

Created on ‎09-03-2024 09:50 AM Edited on ‎09-19-2024 04:15 AM By Moderator

Article Id 338769

Troubleshooting Tip: SCCP (TCP port 2000) traffic stops working after upgrading from 7.0.12 to 7.2.7

Description This article describes how the VoIPD daemon default behavior changes in 7.2.7 can impact SCCP (TCP 2000) traffic.
Scope FortiGate.
Solution

In this scenario, the customer has upgraded a FortiGate from 7.0.12 to 7.2.7, which has impacted SCCP (TCP 2000) traffic. 

 

As per the customer configuration in 7.0.12, default-voip-alg-mode was set to proxy-based.

 

config system settings

set default-voip-alg-mode proxy-based <- It will only show after running 'show full system settings'.

end

 

Consider the following points:

 

  1. If the default-voip-alg-mode is set to proxy-based, FortiGate implicitly applies 'set voip-profile default' to all firewall policies that do not explicitly have a VoIP profile set.

     

  2. In FortiOS 7.0.X, the IPS engine inspects flow-based SIP/SCCP traffic. However, in FortiOS 7.2.5 onwards, SIP/SCCP traffic is inspected by the proxy-based VoIPD daemon if the feature-set under the VoIP profile is set to VoIPD (this is the default setting). See this document.

  3. By default, FortiGate considers traffic on TCP port 2000 as SCCP traffic.

 

Considering the above three points, it appears that FortiGates with default-voip-alg-mode set to proxy-based on FortiOS 7.2.7 were using the VoIPD daemon to inspect TCP port 2000 traffic, causing the VoIPD daemon to drop the traffic. This could be due to either the traffic failing inspection or a bug in VoIPD.

 

A lab test was able to replicate the issue even without any of the customer config files.
On FortiOS 7.2.7, when default-voip-alg-mode is set to proxy-based, FortiGate inspects the traffic, it is not possible to access the remote server on TCP port 2000. Attempt was made to access a server using https://w.x.y.z:2000 from a local workstation web browser.
However, on FortiOS 7.2.7, when default-voip-alg-mode is set to kernel-helper-based, it is possible to access the remote server on TCP port 2000.

 

The following settings resolved the issue:

 

config system settings

set default-voip-alg-mode kernel-helper-based

end

 

Alternatively, if VoIP inspection is necessary for SIP traffic, the following can be applied:

 

Keep ALG settings in proxy mode:

 

config system settings

set default-voip-alg-mode proxy-based

end

 

In the VoIP profile, disable SCCP inspection. By default, the 'default' VoIP profile is used:

 

config voip profile

edit default

config sccp

set status disable

end

end
1463
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.