In this scenario, the user has upgraded a FortiGate from v7.0.12 to v7.2.7, which has impacted SCCP (TCP 2000) traffic. 

As per the user configuration in v7.0.12, default-voip-alg-mode was set to proxy-based.

config system settings

    set default-voip-alg-mode proxy-based <- It will only show after running 'show full system settings'.

end

Consider the following points:

1. If the default-voip-alg-mode is set to proxy-based, FortiGate implicitly applies 'set voip-profile default' to all firewall policies that do not explicitly have a VoIP profile set.

    

2. In FortiOS v7.0.X, the IPS engine inspects flow-based SIP/SCCP traffic. However, in FortiOS v7.2.5 onwards, SIP/SCCP traffic is inspected by the proxy-based VoIPD daemon if the feature-set under the VoIP profile is set to VoIPD (this is the default setting). See this document: IPS-based and voipd-based VoIP profiles.
   
   

3. By default, FortiGate considers traffic on TCP port 2000 as SCCP traffic.

Using the debug flow tool, it is possible to confirm that traffic is being sent to the application layer (proxy-based inspection) even without using any type of inspection in the firewall policy.

id=65308 trace_id=238 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, 192.168.1.10:51362->192.168.2.10:2000) tun_id=0.0.0.0 from VLAN1. flag [S], seq 1809234287, ack 0, win 65535"
id=65308 trace_id=238 func=init_ip_session_common line=6047 msg="allocate a new session-08849dce"
id=65308 trace_id=238 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via VLAN2"
id=65308 trace_id=238 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=62, len=3"
id=65308 trace_id=238 func=fw_forward_handler line=990 msg="Allowed by Policy-1: AV"
id=65308 trace_id=238 func=ip_session_confirm_final line=3110 msg="npu_state=0x0, hook=4"
id=65308 trace_id=238 func=av_receive line=446 msg="send to application layer"

Considering the above three points, it appears that FortiGates with default-voip-alg-mode set to proxy-based on FortiOS v7.2.7 were using the VoIPD daemon to inspect TCP port 2000 traffic, causing the VoIPD daemon to drop the traffic. This could be due to either the traffic failing inspection or a bug in VoIPD.

A lab test was able to replicate the issue even without any of the customer config files.
On FortiOS v7.2.7, when default-voip-alg-mode is set to proxy-based, FortiGate inspects the traffic, and it is not possible to access the remote server on TCP port 2000. An attempt was made to access a server using https://w.x.y.z:2000 from a local workstation web browser.
However, on FortiOS v7.2.7, when default-voip-alg-mode is set to kernel-helper-based, it is possible to access the remote server on TCP port 2000.

The following settings resolved the issue:

config system settings

    set default-voip-alg-mode kernel-helper-based

end

Alternatively, if VoIP inspection is necessary for SIP traffic, the following can be applied:

Keep ALG settings in proxy mode:

config system settings

    set default-voip-alg-mode proxy-based

end

In the VoIP profile, disable SCCP inspection. By default, the 'default' VoIP profile is used:

config voip profile

    edit default

        config sccp

            set status disable

        end

end