Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Palerm0
New Contributor II

Port 2000 and 5060 open by default (How to close)

Hi,

A pen test on our outside IP shows us that port 2000 (Cisco Skinny Clients (IP Phones)) and 5060 (Session Initiation Protocol).

We don't need those ports. And our security office wand to close these ports.

We are running on software version: v5.4.5

The configuration change we did to close port 5060:

conf global
config system session-helper
delete 13
end

And for port 2000 we used the following:

conf vdom
(vdom) # edit Firewall
# config voip profile
(profile) # edit default
(default) # config sccp
(sccp) # set status disable
(sccp) # end

 

But unfortunately this did not close the ports.

Does anyone has a suggestion to close these 2 ports.

 

I hope someone can help me. Thanks in advance.

Greetings Palermo

14 REPLIES 14
Iescudero
Contributor II

Hi there!

Maybe with a local-in policy you can achieve this:

 

config firewall local-in-policy

edit 1

set intf wan1

set srcaddr all

set dstaddr all

set action deny

set service TCP_5060

set schedule always

end

 

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/L...

 

Hope it helps!

emnoc
Esteemed Contributor III

Have you looked at local-in policies but I wonder how & what open test did they do?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Palerm0
New Contributor II

@Iescudero I`m gona test this on our test firewall Thanks.

But still. Fortinet is suggesting the commands i described above to close the helper ports. So i don`t understand why the ports are still open.

 

@emnoc Its just a nmap command from an external machine that does pen tests;

Discovered open port 2000/tcp on xxx.xxx.xx.xx

Discovered open port 5060/tcp on xxx.xxx.xx.xx

 

Thanks for your suggestion

 

Gr

Palermo

packetpusher

When you perform a network scan of any kind, i.e. netmap <WAN IP of your firewall>, do you get the same result as the pen test?

emnoc
Esteemed Contributor III

Discovered open port 2000/tcp on xxx.xxx.xx.xx

 

what is xxx.xxx.xx.xx  the firewall?  a DNAt-VIP?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Palerm0
New Contributor II

It is an advertised public IP address. via the Firewall to a loadbalancer who also filter on ports

Palerm0

I Was using the wrong technical name.

Pen test is for Penetration testing and NMAP is a port range scanner.

Sorry :)

 

 

Palerm0
New Contributor II

Our environment is split up into multiple customer networks.

For this specific customer we don't use the firewall feature (so we have a permit any rule).

the filtering (fire-walling) is done on a other place in the network (for this client specifically).

And if you scan the ip addresses for this client you`ll find the ports 5060 and 2000 open.

I find it strange that specific these ports are open and not the other like 22, 25 enz. (These ports are closed at the firewall on the other place in the network). The Fortigate marks these ports as open but at the back of the network they are not open.

 

So the question is how can i make NMAP scan not see the ports (5060 & 2000) without closing specifically these ports (Other applications use these ports as swell).

WY do i see these ports open in the first place, never ask for this.

 

Its a difficult to explane the situation, i hope i made it a bit clear so.

Thanks in advance

Greetings Palermo

Palerm0
New Contributor II

Hi, I found a solution to my problem.

the code i used in my initial post did not work with our software version. The support documentation is out-dated. We running on version 5.4.5. 

 

To disable the SIP helper /  ALG i used the following code

 

config system settings
set default-voip-alg-mode kernel-helper-based
end

Important is that you need to configure it on all the VDOM`s

 

A reboot is not necessary, Clearing the sessions worked for us:

diagnose sys session filter
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter dport 2000
diagnose sys session clear

It may help others :)

 

Greetings

Palermo

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors