Description
This article describes why FortiGate is not forwarding TCP ports 5060, 5061 and 2000.
By default, FortiGate treats
• TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
• TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.
All SIP and SCCP traffic will be intercepted for inspection by VoIP ALG by default in FortiOS 5.2, 5.4 and 5.6.
Solution
If the VoIP ALG isn't needed, and there is an application which uses one of these ports, there are two options:1) Change the monitored ports for VoIP trafficAny unused ports between 1024 and 65535 can be used, however, using higher port numbers is recommended since higher ports are used less frequently for application traffic.Monitored ports for SIP and SCCP traffic can be configured using the following CLI commands:
# config system settings
set sip-ssl-port <port_number>
set sip-tcp-port <port1_int> [<port2_int>]>
set sip-udp-port <port_number>
set sccp-port <port_number>
end
2) Change default-voip-alg-mode to kernel-helper-based
# config system settings
set default-voip-alg-mode kernel-helper-based
end
3) Disable the ALG in the default VoIP profile which is applied even when no VoIP profile is added on the policy
# config voip profile
edit default
config sccp (for port 2000)
set status disable
end
# config voip profile
edit default
config sip (for port 5060/5061)
set status disable
end
Related Articles
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
