Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Fortigates replies on tcp/2000 and tcp/5060
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigates replies on tcp/2000 and tcp/5060
Hi all
A new behavior came up during a penetration testing that all published application (publishing is on a Cisco ASA) replies on the tcp ports 2000 and 5060. During the investigation we figured out that not the ASA replies on them, that this is the Fortigate firewall which is sitting in front of the ASA to route the traffic between two connected Internet providers. As we don't need these ports and we don't need SIP inspection and proxy function (in our case this vDOM on our Fortigate is "only" a router and has no policies in place), our approach is to disable this behavior. All filtering/inspection should apply on the ASA firewall which is on the LAN side of the Fortigate.
Based on the article https://kb.fortinet.com/kb/documentLink.do?externalID=FD36152 we found that this behavior is a normal function of the Fortigate. The only option here would be to move the ports away from the standard ports to a higher port, but not to disable this function. Means the publishings still replies, no longer on the standard 2000/5060 ports but on this other higher ports.
We got the answer back from our provider that this is a normal behavior and that it cannot be disabled, the only "workaround" is to move the ports. Is this really true, can this not be disabled? Hard for me to believe that this would apply, but if yes, it sounds for me more that this is a bug.
Thank you
Markus
Solved! Go to Solution.
12083
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even to use it just a router you still need to have a set, or multiple sets, of policies to let traffic come in ingress and go out egress interface. Then one of policies likely has a voip profile enabled, which is enabling sip/sccp ALG.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi
Many thanks to your reply. Yes, there are these policies configured with the ALG feature, of course. But my question is more how this can be disabled. Based on the answer I got from my provider this is not possible, the only workaround would be to move the ports for SIP and SKINNY to a higher port which is not the well-known port of the VoIP service. And I have the feeling that cannot be, it should be possible to disable this inspection entirely. What do you think?
Thanks
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try one, or all, of below:
1) When my 50E's "VoIP" visibility was originally disabled, under any policies I didn't see "voip-profile" even with "get | grep voip". So it was not configured at all. Only after I enabled it, I see it under policies and can't remove any more. But you could try "unset voip-profile" which clears profile name. Then disable the visibility. I don't see "voip-profile" setting any more with "get | grep voip" after that. If this works, that would be more preferable than 2).
2) you can create a different voip-profile with settings like below:
edit "no-sip-no-sccp-alg"
config sip
set status disable
end
config sccp
config status diable
end
next
Then apply this to your inbound policy.
3) This is supposed to be done when you want to disable both SIP session-helper and ALG, but as the result, it would disable all ALG. So I regulary have 1) and 3) at all our FGTs in place.
3-1) remove sip and h323 session helper under "config sys session helper" (in global incase muti-vdom env). Likely h323 is "edit 2" and sip is "edit 13". We remove both, and this change requires a reboot.
3-2) This is depending on version. Under "config sys settings" (in a vdom) do below:
set sip-helper disable (only older versions, 6.2 doesn't have the setting)
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
This part doesn't require reboot.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Esumi and emnoc
Thank you very much for your valuable inputs here, I forwarded it to our partner for checking.
Have a good day
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
Hello Ken,
I tried modifications below but the firewall is still listening on TCP ports 2000 and 5060. What can I do ?
I'm on FortiOS 5.6.14 with VDOM enable.
In global mode :
config system setting
set default-voip-alg-mode kernel-helper-based end
In each VDOM (currently 3) :
config voip profile
edit "default" config sip set status disable end config sccp set status disable end next end
diagnose sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
diagnose sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you so much, i did search forever on why my app does not work (that uses tcp/2000) and got suspicios when i did see on wireshark that my client is receiving packats that the server never sent.
what an extremely stupid thing to put in hardcoded behavious for some ports, that can very well be used for something else than cisco VoIP.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,690 -
FortiClient
1,761 -
5.2
801 -
FortiManager
728 -
5.4
639 -
FortiAnalyzer
557 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.