FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff

Description

 

This article describes why FortiGate is not forwarding TCP ports 5060, 5061 and 2000.

By default, FortiGate treats

    • TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
    • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

All SIP and SCCP traffic will be intercepted for inspection by VoIP ALG by default in FortiOS 5.2, 5.4 and 5.6.


Solution

 

If the VoIP ALG isn't needed, and there is an application which uses one of these ports, there are two options:

1) Change the monitored ports for VoIP traffic

Any unused ports between 1024 and 65535 can be used, however, using higher port numbers is recommended since higher ports are used less frequently for application traffic.

Monitored ports for SIP and SCCP traffic can be configured using the following CLI commands:
# config system settings
    set sip-ssl-port <port_number>
    set sip-tcp-port <port1_int> [<port2_int>]>
    set sip-udp-port <port_number>
    set sccp-port <port_number>
end
2) Change default-voip-alg-mode to kernel-helper-based

# config system settings
    set default-voip-alg-mode kernel-helper-based
end

3) Disable the ALG in the default VoIP profile which is applied even when no VoIP profile is added on the policy

 

# config voip profile
    edit default
    config sccp (for port 2000)
    set status disable
    end 
# config voip profile
    edit default
    config sip (for port 5060/5061)
    set status disable
    end 

 

Related Articles

SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2