If you have a FortiGate Firewall you might have encountered situation where Fortinet devices appear to have open TCP ports 2000 and 5060, even when firewalls are configured to block them. If an IPSec connection is configured, this even looks like a telnet connection can be established between the devices in each end of the tunnels on TCP 2000 and 5060.
Security scans will flag it a threat.
Fortinet's Default Behavior
By default, FortiGate (FortiOS 5.2, 5.4 and 5.6) is configured to intercept and inspect all SIP and SCCP traffic by its VoIP ALG configuration 'default-voip-alg-mode' set to 'proxy-based'.
When 'default-voip-alg-mode' is set to 'proxy-based' Fortinet treats:
• TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
• TCP port 2000 as Skinny Client Call protocol (SCCP) traffic - a Cisco
proprietary protocol for VoIP.
Because of this, any telnet connections through FortiGate might looks like open. Security scans such as Port Scans might identify TCP/UDP 5060, TCP 2000 as open.
There are few options to prevent this:
1. Change default-voip-alg-mode to kernel-helper-based.
SCCP traffic is not processed if default-voip-alg-mode is set to kernel-helper-based mode.
# config system setting
set default-voip-alg-mode kernel-helper-based
end
NOTE: If having Multi-VDOM, disable SIP-ALG on all respective VDOM.
2. Disable SIP and SCCP ALG in the default VoIP profile
# config voip profile
edit "default"
config sip
set
status disable
end
config sccp
set
status disable
end
next
end
This should do the trick. You can verify FortiGate stopped listening on the ports using:
dia sys tcpsock | grep 5060
dia sys tcpsock | grep 2000
dia sys udpsock | grep 5060
You should not see any o/p.
No comments:
Post a Comment