Hi,
A pen test on our outside IP shows us that port 2000 (Cisco Skinny Clients (IP Phones)) and 5060 (Session Initiation Protocol).
We don't need those ports. And our security office wand to close these ports.
We are running on software version: v5.4.5
The configuration change we did to close port 5060:
conf global
config system session-helper
delete 13
end
And for port 2000 we used the following:
conf vdom
(vdom) # edit Firewall
# config voip profile
(profile) # edit default
(default) # config sccp
(sccp) # set status disable
(sccp) # end
But unfortunately this did not close the ports.
Does anyone has a suggestion to close these 2 ports.
I hope someone can help me. Thanks in advance.
Greetings Palermo
Hi there!
Maybe with a local-in policy you can achieve this:
config firewall local-in-policyedit 1set intf wan1set srcaddr allset dstaddr allset action denyset service TCP_5060set schedule alwaysend
Hope it helps!
Have you looked at local-in policies but I wonder how & what open test did they do?
PCNSE
NSE
StrongSwan
@Iescudero I`m gona test this on our test firewall Thanks.
But still. Fortinet is suggesting the commands i described above to close the helper ports. So i don`t understand why the ports are still open.
@emnoc Its just a nmap command from an external machine that does pen tests;
Discovered open port 2000/tcp on xxx.xxx.xx.xx
Discovered open port 5060/tcp on xxx.xxx.xx.xx
Thanks for your suggestion
Gr
Palermo
When you perform a network scan of any kind, i.e. netmap <WAN IP of your firewall>, do you get the same result as the pen test?
Discovered open port 2000/tcp on xxx.xxx.xx.xx
what is xxx.xxx.xx.xx the firewall? a DNAt-VIP?
PCNSE
NSE
StrongSwan
It is an advertised public IP address. via the Firewall to a loadbalancer who also filter on ports
I Was using the wrong technical name.
Pen test is for Penetration testing and NMAP is a port range scanner.
Sorry :)
Our environment is split up into multiple customer networks.
For this specific customer we don't use the firewall feature (so we have a permit any rule).
the filtering (fire-walling) is done on a other place in the network (for this client specifically).
And if you scan the ip addresses for this client you`ll find the ports 5060 and 2000 open.
I find it strange that specific these ports are open and not the other like 22, 25 enz. (These ports are closed at the firewall on the other place in the network). The Fortigate marks these ports as open but at the back of the network they are not open.
So the question is how can i make NMAP scan not see the ports (5060 & 2000) without closing specifically these ports (Other applications use these ports as swell).
WY do i see these ports open in the first place, never ask for this.
Its a difficult to explane the situation, i hope i made it a bit clear so.
Thanks in advance
Greetings Palermo
Hi, I found a solution to my problem.
the code i used in my initial post did not work with our software version. The support documentation is out-dated. We running on version 5.4.5.
To disable the SIP helper / ALG i used the following code
config system settings
set default-voip-alg-mode kernel-helper-based
end
Important is that you need to configure it on all the VDOM`s
A reboot is not necessary, Clearing the sessions worked for us:
diagnose sys session filter
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter dport 2000
diagnose sys session clear
It may help others :)
Greetings
Palermo
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.