- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigates replies on tcp/2000 and tcp/5060
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigates replies on tcp/2000 and tcp/5060
Hi all
A new behavior came up during a penetration testing that all published application (publishing is on a Cisco ASA) replies on the tcp ports 2000 and 5060. During the investigation we figured out that not the ASA replies on them, that this is the Fortigate firewall which is sitting in front of the ASA to route the traffic between two connected Internet providers. As we don't need these ports and we don't need SIP inspection and proxy function (in our case this vDOM on our Fortigate is "only" a router and has no policies in place), our approach is to disable this behavior. All filtering/inspection should apply on the ASA firewall which is on the LAN side of the Fortigate.
Based on the article https://kb.fortinet.com/kb/documentLink.do?externalID=FD36152 we found that this behavior is a normal function of the Fortigate. The only option here would be to move the ports away from the standard ports to a higher port, but not to disable this function. Means the publishings still replies, no longer on the standard 2000/5060 ports but on this other higher ports.
We got the answer back from our provider that this is a normal behavior and that it cannot be disabled, the only "workaround" is to move the ports. Is this really true, can this not be disabled? Hard for me to believe that this would apply, but if yes, it sounds for me more that this is a bug.
Thank you
Markus
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even to use it just a router you still need to have a set, or multiple sets, of policies to let traffic come in ingress and go out egress interface. Then one of policies likely has a voip profile enabled, which is enabling sip/sccp ALG.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi
Many thanks to your reply. Yes, there are these policies configured with the ALG feature, of course. But my question is more how this can be disabled. Based on the answer I got from my provider this is not possible, the only workaround would be to move the ports for SIP and SKINNY to a higher port which is not the well-known port of the VoIP service. And I have the feeling that cannot be, it should be possible to disable this inspection entirely. What do you think?
Thanks
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try one, or all, of below:
1) When my 50E's "VoIP" visibility was originally disabled, under any policies I didn't see "voip-profile" even with "get | grep voip". So it was not configured at all. Only after I enabled it, I see it under policies and can't remove any more. But you could try "unset voip-profile" which clears profile name. Then disable the visibility. I don't see "voip-profile" setting any more with "get | grep voip" after that. If this works, that would be more preferable than 2).
2) you can create a different voip-profile with settings like below:
edit "no-sip-no-sccp-alg"
config sip
set status disable
end
config sccp
config status diable
end
next
Then apply this to your inbound policy.
3) This is supposed to be done when you want to disable both SIP session-helper and ALG, but as the result, it would disable all ALG. So I regulary have 1) and 3) at all our FGTs in place.
3-1) remove sip and h323 session helper under "config sys session helper" (in global incase muti-vdom env). Likely h323 is "edit 2" and sip is "edit 13". We remove both, and this change requires a reboot.
3-2) This is depending on version. Under "config sys settings" (in a vdom) do below:
set sip-helper disable (only older versions, 6.2 doesn't have the setting)
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
This part doesn't require reboot.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Esumi and emnoc
Thank you very much for your valuable inputs here, I forwarded it to our partner for checking.
Have a good day
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:You have a better option test b4 and after ( see output ) but use "set default-voip-alg-mode kernel-helper-based"
BPSYN1 # diag sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # diag sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
BPSYN1 # config system settings
BPSYN1 (settings) # set default-voip-alg-mode kernel-helper-based
BPSYN1 (settings) # end
BPSYN1 # diag sys tcpsock | grep 5060
BPSYN1 # diag sys tcpsock | grep 2000
Ken Felix
Hello Ken,
I tried modifications below but the firewall is still listening on TCP ports 2000 and 5060. What can I do ?
I'm on FortiOS 5.6.14 with VDOM enable.
In global mode :
config system setting
set default-voip-alg-mode kernel-helper-based end
In each VDOM (currently 3) :
config voip profile
edit "default" config sip set status disable end config sccp set status disable end next end
diagnose sys tcpsock | grep 5060 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
diagnose sys tcpsock | grep 2000 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 sockflag=0x102 rma=0 wma=0 fma=0 tma=0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you so much, i did search forever on why my app does not work (that uses tcp/2000) and got suspicios when i did see on wireshark that my client is receiving packats that the server never sent.
what an extremely stupid thing to put in hardcoded behavious for some ports, that can very well be used for something else than cisco VoIP.
Labels
-
FortiGate
6,462 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.