Hi all
A new behavior came up during a penetration testing that all published application (publishing is on a Cisco ASA) replies on the tcp ports 2000 and 5060. During the investigation we figured out that not the ASA replies on them, that this is the Fortigate firewall which is sitting in front of the ASA to route the traffic between two connected Internet providers. As we don't need these ports and we don't need SIP inspection and proxy function (in our case this vDOM on our Fortigate is "only" a router and has no policies in place), our approach is to disable this behavior. All filtering/inspection should apply on the ASA firewall which is on the LAN side of the Fortigate.
Based on the article https://kb.fortinet.com/kb/documentLink.do?externalID=FD36152 we found that this behavior is a normal function of the Fortigate. The only option here would be to move the ports away from the standard ports to a higher port, but not to disable this function. Means the publishings still replies, no longer on the standard 2000/5060 ports but on this other higher ports.
We got the answer back from our provider that this is a normal behavior and that it cannot be disabled, the only "workaround" is to move the ports. Is this really true, can this not be disabled? Hard for me to believe that this would apply, but if yes, it sounds for me more that this is a bug.
Thank you
Markus
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
Even to use it just a router you still need to have a set, or multiple sets, of policies to let traffic come in ingress and go out egress interface. Then one of policies likely has a voip profile enabled, which is enabling sip/sccp ALG.
Hi Toshi
Many thanks to your reply. Yes, there are these policies configured with the ALG feature, of course. But my question is more how this can be disabled. Based on the answer I got from my provider this is not possible, the only workaround would be to move the ports for SIP and SKINNY to a higher port which is not the well-known port of the VoIP service. And I have the feeling that cannot be, it should be possible to disable this inspection entirely. What do you think?
Thanks
Markus
Try one, or all, of below:
1) When my 50E's "VoIP" visibility was originally disabled, under any policies I didn't see "voip-profile" even with "get | grep voip". So it was not configured at all. Only after I enabled it, I see it under policies and can't remove any more. But you could try "unset voip-profile" which clears profile name. Then disable the visibility. I don't see "voip-profile" setting any more with "get | grep voip" after that. If this works, that would be more preferable than 2).
2) you can create a different voip-profile with settings like below:
edit "no-sip-no-sccp-alg"
config sip
set status disable
end
config sccp
config status diable
end
next
Then apply this to your inbound policy.
3) This is supposed to be done when you want to disable both SIP session-helper and ALG, but as the result, it would disable all ALG. So I regulary have 1) and 3) at all our FGTs in place.
3-1) remove sip and h323 session helper under "config sys session helper" (in global incase muti-vdom env). Likely h323 is "edit 2" and sip is "edit 13". We remove both, and this change requires a reboot.
3-2) This is depending on version. Under "config sys settings" (in a vdom) do below:
set sip-helper disable (only older versions, 6.2 doesn't have the setting)
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
This part doesn't require reboot.
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
Hi Esumi and emnoc
Thank you very much for your valuable inputs here, I forwarded it to our partner for checking.
Have a good day
Markus
emnoc wrote:You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
Hello Ken,
I tried modifications below but the firewall is still listening on TCP ports 2000 and 5060. What can I do ?
I'm on FortiOS 5.6.14 with VDOM enable.
In global mode :
config system setting
set default-voip-alg-mode kernel-helper-based end
In each VDOM (currently 3) :
config voip profile
edit "default" config sip set status disable end config sccp set status disable end next end
diagnose sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
diagnose sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
thank you so much, i did search forever on why my app does not work (that uses tcp/2000) and got suspicios when i did see on wireshark that my client is receiving packats that the server never sent.
what an extremely stupid thing to put in hardcoded behavious for some ports, that can very well be used for something else than cisco VoIP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.