We have a customer who uses a VDOM on a shared Fortigate appliance. The customer is concerned that ports 2000 and 5060 are showing open when he scans his IP for open ports. I believe this is related to SIP ALG. Firewall policies will not close the ports. We only want to close this port for the one VDOM, as we are not sure if other customers are using services related to these ports.
I've already done the configuration below on item 1-2.
1. This disables SIP-ALG, and will use SIP session helper:
config system settings
set default-voip-alg-mode kernel-helper-based
end
2. If having Multi-VDOM, disable SIP-ALG on all respective VDOM :
config vdom
edit VDOM-A
config system settings
set default-voip-alg-mode kernel-helper-based
end
next
edit VDOM-B
config system settings
set default-voip-alg-mode kernel-helper-based
end
3. config sys session-helper
delete 13
end
I can see that `config sys session-helper` will work on the global VDOM; however, we need to ensure that this change does not affect other VDOMs. It seems that command is not available at the VDOM level.
Will this command on item 3 will affect the other VDOM's?
Reference: How to close port TCP/UDP 5060 and TCP 20... - Fortinet Community
TIA :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
The session helpers are global and applies to all the vdoms. Therefore, you can use local in policy to restrict traffic to required vdoms, please see Local-in policy | FortiGate / FortiOS 7.6.0 | Fortinet Document Library
Best regards,
Jin
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1570 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.